Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 11
Ok, I'm a little lost here and could use some help. Here's the situation - I have a website hosted on a VPS under CentOS. A part of the website ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Nov 2009
    Posts
    5

    IP Tables / MySQL


    Ok, I'm a little lost here and could use some help.

    Here's the situation - I have a website hosted on a VPS under CentOS. A part of the website connects to a remote MySQL databse to retrieve information. Without iptables engaged it works fine. As soon as I turn on iptables I cannot connect to the remote server at all.

    Is there something I am missing as far as opening a port or area in iptables to allow that outbound connection to the remote database server to retrieve information. I have iptables setup to deny all incoming other than the allowed ports which are currently 21, 25, 53, 80, 110 plus some non standard ones 30000 - 50000 for FTP passive connections, 6666 which is the CP and 666 where I moved the SSH server. I even opened an incoming port of 3306 for MySQL even though I want to connect to a server at a remote location and not me connecting to a MySQL server on the machine in question.

    I'm sure it's something simple that needs to be open but what? So far I'm taking a noobie approach and blocking blocks of ports until I find what's causing the issue. I'm up to port 10000 and still connecting so for some reason the connection is somewhere between 10000 and 65535. Arrgh!

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    What do you present rules look like. Paste them here for us to see, then we might see what you are over looking.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #3
    Just Joined!
    Join Date
    Nov 2009
    Posts
    5
    Right now my rules are a mess because all of a sudden someone found a hole in HyperVM and was having their way with my server so I locked down almost everything I could using iptables. I left open only needed ports - 21, 25, 53, 80. 110, 443, 5555 (control panel) and 8887 (Kloxo). I then proceeded to lock down groups of ports starting at 10000-20000 and so forth. What I found is when I closed out 10000 - 65535 I could not connect to the remote database that is on a separate server. I wiped out iptables, started over and when I hit around the 30000 - 40000+ range I again lost connection.

    Mind you this is PHP making an outbound connection to a remote database, pulling the needed data and then outputting the page. Seemingly my issue isn't MySQL itself but the outbound/inbound PHP connection to port 3306 (which apparently isn't going in or out on that port) on the remote box. Hopefully I'm explaining this right

    If you think posting the iptables list will help let me know.

  4. #4
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    OK first thing is to think if you require any NEW connection to your server from the outside. Then how hard do you want to lock down outgoing NEW request from your system. Then you need to build off of this. Lock down everything and then only open what you need.

    Are you running a STATEFUL firewall or CONNECTION based? STATEFUL is better.

    As to the port you have open why do you need these?

    Telnet(21) is BAD! You should not be allowing connection from the internet to your system using telent.
    SMTP(25) POP(110) Are you running a mail server? If not then you don't need this port open either from the internet.
    DNS(53) is only needed if request form the internet are required to query your DNS server.
    HTTP(80) HTTPS(443) Are you running a public web server? If not then this port casn be closed also.

    What kind of outgoing connection do you require? On what ports?

    Here is a TUTORIAL for iptables. You are talking about locking down groups of ports but I believe you are looking at this backwards. You should be locking down everything and then opening only what ports are needed.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  5. #5
    Just Joined!
    Join Date
    Nov 2009
    Posts
    5
    Let me try the one more time, lol.

    I am running a VPS server. It houses FTP, SMTP/POP, Web (standard and SSL), DNS and the two HyperVM ports 8887 and 6666. Within this server I have an area of the website that pulls MySQL database information from a server within my house.

    Everything works fine until I engage the firewall. The connection to the remote MySQL database should be going out on port 3306 and on the remote end I can see it connecting to 3306. That port is currently open both in and outbound. Problem is as soon as I block those higher ports (apparently around 30000+) PHP is completely unable to make that outbound connection and reports the remote SQL server is unavailable. As soon as I bulk open those higher ports (without touching 3306) the connection works. Apparently PHP is tunneling out on a much higher port than 3306 to make that remote connection which makes no sense.

    As soon as I can figure out what port it's aiming for I can redo the entire iptables to drop all and only open the needed ports but I can't seemingly figure out what it is.

    Confused as hell

    Robert

  6. #6
    Linux Guru
    Join Date
    Nov 2007
    Posts
    1,754
    Quote Originally Posted by megarock View Post
    Let me try the one more time, lol.

    I am running a VPS server. It houses FTP, SMTP/POP, Web (standard and SSL), DNS and the two HyperVM ports 8887 and 6666. Within this server I have an area of the website that pulls MySQL database information from a server within my house.

    Everything works fine until I engage the firewall. The connection to the remote MySQL database should be going out on port 3306 and on the remote end I can see it connecting to 3306. That port is currently open both in and outbound. Problem is as soon as I block those higher ports (apparently around 30000+) PHP is completely unable to make that outbound connection and reports the remote SQL server is unavailable. As soon as I bulk open those higher ports (without touching 3306) the connection works. Apparently PHP is tunneling out on a much higher port than 3306 to make that remote connection which makes no sense.

    As soon as I can figure out what port it's aiming for I can redo the entire iptables to drop all and only open the needed ports but I can't seemingly figure out what it is.

    Confused as hell

    Robert
    You need to differentiate between the CLIENT and the SERVER. In terms of MySQL, your VPS machine is the CLIENT and your home machine (running MySQL) is the SERVER. PHP/MySQL *CLIENT* on the VPS machine will open a local port in the non-reserved port range 1025 > 65535 (you seem to indicate it's usually 30000 > 64K.) This SOURCE port then connects to the SERVER (your home machine) on destination port 3306.

    Your firewall rules are not allowing this. If you are filtering/blocking OUTGOING connections, you need to allow NEW, ESTABLISHED, RELATED where source port is 1025 > 64K and destination is port 3306 (also could restrict it to only your home IP and port 3306 for the destination.)

    * Changing MySQL to use another port (different from 3306) is also a good security measure.

  7. #7
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Sounds to me like you are trying to be too smart with setting up the firewall which you don't fully understand. It sound like you are making this more complicated then it has to be but because you refuse to post your rules and do not understand what it is we are trying to tell you. If you want my help then post your rules and remove/replace the ip addfesses if you are worried about them. It is that simple.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  8. #8
    Just Joined!
    Join Date
    Nov 2009
    Posts
    5
    Ok, as I mentioned they are a mess but anyway:

    [root@noc /]# iptables -L
    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    DROP tcp -- anywhere anywhere tcp dpts:tcpmux:ftp-data
    ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
    DROP tcp -- anywhere anywhere tcp dpts:ssh:lmtp
    ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
    DROP tcp -- anywhere anywhere tcp dpts:26ns-time
    ACCEPT tcp -- anywhere anywhere tcp dpt:domain
    DROP tcp -- anywhere anywhere tcp dptsns-ch:finger
    ACCEPT tcp -- anywhere anywhere tcp dpt:http
    DROP tcp -- anywhere anywhere tcp dpts:hosts2-nsop2
    ACCEPT tcp -- anywhere anywhere tcp dptop3
    DROP tcp -- anywhere anywhere tcp dpts:sunrpc:cvc_hostd
    ACCEPT tcp -- anywhere anywhere tcp dpt:https

  9. #9
    Just Joined!
    Join Date
    Nov 2009
    Posts
    5
    ACCEPT tcp -- anywhere anywhere tcp dpts:snpp:sgi-esphttp
    ACCEPT tcp -- anywhere anywhere tcp dptersonal-agent
    DROP tcp -- anywhere anywhere tcp dpts:5556:irdmi
    DROP tcp -- anywhere anywhere tcp dpts:irdmi:8006
    DROP tcp -- anywhere anywhere tcp dpts:8007:8886
    DROP tcp -- anywhere anywhere tcp dpt:8887
    DROP tcp -- anywhere anywhere tcp dpts:ddi-tcp-2:ndmp
    DROP tcp -- anywhere anywhere tcp dpts:scp-config:29999
    DROP tcp -- anywhere anywhere tcp dpt:55448

    Chain FORWARD (policy DROP)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    DROP tcp -- anywhere anywhere tcp dpts:commplex-main:irdmi

    DROP udp -- anywhere anywhere udp dpts:6000:irdmi

    As mentioned until I can figure out what the issue is with php/mysql I have approached this from a allow all and then block the ports not in use. I would rather drop then accept the good ports but if I do that php can no longer make the connection to mysql to the remote server. Changing output to DROP then ACCEPT makes no difference at all therefore logically the issue is with INPUT and not OUTPUT or FORWARD. The only issue is what port is PHP using to make that outbound connection to the remote server (which is not the box in question).

    I had to break the post in two, would not let me post it all at once.

  10. #10
    Linux Guru
    Join Date
    Nov 2007
    Posts
    1,754
    *Please* use the CODE and /CODE tags to wrap code in a viewable format.

    *Please* output iptables format in numerical ports.

    Code:
    iptables -L -nv
    Chain INPUT (policy ACCEPT 2 packets, 255 bytes)
     pkts bytes target     prot opt in     out     source               destination         
      125 20009 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:13724 
        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:13724 
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:13782 
        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:13782 
        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:4145 
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:14141 
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:14144 
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443 
        0     0 ACCEPT     tcp  --  *      *       10.XXX.XXX.XXX         0.0.0.0/0           tcp dpt:10085 
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:10101 
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:10082 
       85  5500 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 
       42  6920 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
        5   994 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    
    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination         
    
    Chain OUTPUT (policy ACCEPT 2779K packets, 515M bytes)
     pkts bytes target     prot opt in     out     source               destination
    Changing output to DROP then ACCEPT makes no difference at all therefore logically the issue is with INPUT and not OUTPUT or FORWARD.
    So you have no rule in your INPUT chain to allow RELATED or ESTABLISHED connections. Because port 3306 on the SQL server must stay free to accept further requests, connections are handed off to another port after the initial contact. If no INPUT rule exists to allow this "callback", it will be denied. Rather than opening up huge chunks of ports, using connection states with RELATED or ESTABLISHED is much cleaner - from Lazydog's IPTables link he previously posted.

    Netstat is also your friend. If you want to see what ports are active between the VPS and SQL server, look at netstat -anp.

    Code:
    netstat -anp

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •