I have a VPS where I have successfully set up VPN. I connect with OpenVPN client. The VPN server interface is 10.8.0.1 and the client receives 10.8.0.? IP. And I am able to ping 10.8.0.1. I also seem to be able to do telnet to 10.8.0.1:80, 10.8.0.1:443, etc standard ports with working services on them but not 10.8.0.1:3306.
This is the VPN connection as printed by ifconfig:
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:383 errors:0 dropped:0 overruns:0 frame:0
TX packets:358 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:29356 (28.6 KiB) TX bytes:149232 (145.7 KiB)
MySQL is not binded to any IP, so it receives connections from anywhere. I want to cut it's visibility by IPTABLES.
Then I added these rules to IPTABLES:
# allow connections from the vpn
iptables -A INPUT -s 10.8.0.0/24 -p tcp --dport 3306 -j ACCEPT
# allow local connections eg your scripts running locally
iptables -A INPUT -s 127.0.0.1 -p tcp --dport 3306 -j ACCEPT
# deny any other attempts of connecting to mysql
iptables -A INPUT -p tcp --dport 3306 -j DROP
Now I'm able to connect to 127.0.0.1 from the server itself. I'm not able to connect to the server by it's public IP. And I'm not able to connect to it through 10.8.0.1 (VPN IP).
This is my full IPTABLES:
[root@ddinvps mail]# iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1723
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
icmp_packets all -- 0.0.0.0/0 0.0.0.0/0
tcp_packets all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 10.8.0.0/24 0.0.0.0/0 tcp dpt:3306
ACCEPT tcp -- 127.0.0.1 0.0.0.0/0 tcp dpt:3306
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain icmp_packets (1 references)
target prot opt source destination
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
DROP icmp -- 0.0.0.0/0 0.0.0.0/0
Chain tcp_packets (1 references)
target prot opt source destination
ACCEPT all -- 127.0.0.1 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:26
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
ACCEPT tcp -- 10.3.124.200 0.0.0.0/0 tcp dpt:9102
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:143
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:993
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:10000
DROP tcp -- 0.0.0.0/0 0.0.0.0/0
DROP udp -- 0.0.0.0/0 0.0.0.0/0
Any ideas?
The packets are being filtered by the
tcp_packetschain. This is because youriptables -Acommand has added the new rules to the end of theINPUTchain and the filter works on first match wins. The easiest way to solve your problem is to add your rules to the beginning of theINPUTchain using theiptables -Icommand e.g.etc. which will insert your new rules at the beginning of the Chain.
It's obviuos your tcp_packets chain drops traffic before it hits your rule.
Either add this rule in the begining of tcp_packets chain, or in INPUT chain, but before jumping tcp_packets