I have followed the instructions at: https://www.atomicorp.com/wiki/index.ph ... _Port_ACLs to allow certain IPs to connect to MySQL on 3306 but I am still unable to make connections to MySQL from the allowed IPs
The firewall contains rules for the IPs listed in the file /etc/asl/firewall/INPUT-mysqld-tcp-3306-any-acl which gives these rules in the firewall itself (iptables -L -n | grep 3306):
LOCAL-0-mysqld-ACL tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306 state NEW
ACCEPT tcp -- 106.1x6.116.x6 0.0.0.0/0 tcp dpt:3306 state NEW
ACCEPT tcp -- 10.x6.85.5x 0.0.0.0/0 tcp dpt:3306 state NEW
ACCEPT tcp -- 116.51.2xx.9 0.0.0.0/0 tcp dpt:3306 state NEW
ACCEPT tcp -- 103.x.17.1x7 0.0.0.0/0 tcp dpt:3306 state NEW
ACCEPT tcp -- 50.x.28.3x 0.0.0.0/0 tcp dpt:3306 state NEW
ACCEPT tcp -- 89.45.2x9.xx 0.0.0.0/0 tcp dpt:3306 state NEW
ACCEPT tcp -- 130.x.19x.51 0.0.0.0/0 tcp dpt:3306 state NEW
ACCEPT tcp -- 176.x.23x.119 0.0.0.0/0 tcp dpt:3306 state NEW
ACCEPT tcp -- 78.157.xx7.106 0.0.0.0/0 tcp dpt:3306 state NEW
ACCEPT tcp -- 192.x.2x.36 0.0.0.0/0 tcp dpt:3306 state NEW
ACCEPT tcp -- 192.x.32.x70 0.0.0.0/0 tcp dpt:3306 state NEW
ACCEPT tcp -- 162.2x1.66.130 0.0.0.0/0 tcp dpt:3306 state NEW
ACCEPT tcp -- 204.x.60.100 0.0.0.0/0 tcp dpt:3306 state NEW
ACCEPT tcp -- 162.211.x.212 0.0.0.0/0 tcp dpt:3306 state NEW
ACCEPT tcp -- 23.x.101.96 0.0.0.0/0 tcp dpt:3306 state NEW
ACCEPT tcp -- x.71.187.204 0.0.0.0/0 tcp dpt:3306 state NEW
(Obfuscated actual IPs)
Why does this not work, what am I doing wrong?
For reference I am using FW_INBOUND_TCP_SERVICES but as per the instructions 3306 is not listed.
TIA
Per Port ACLs
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Per Port ACLs
Thanks for the question. So my first guess is something else in your firewall rules is blocking something. If you dont see any ASL* events in your logs, then the ASL rules arent blocking anything, something else is. So the most common cause of this is you have either old (the default iptables rules) or third party rules installed (like the Plesk firewall manager, CSF, APF, and others). Make sure you dont have anything like that installed or configured first:
https://www.atomicorp.com/wiki/index.ph ... #firewalls
This includes disabling the iptables service, you dont need it. And its always on by default, so if you didnt disable it, make sure you do and flush your rules as that article describes because they are probably already causing you problems.
Once you do that, if you have any custom rules you'll want to either add logging to them so you can figure out why they are blocking, or remove them so you can rule them out. My advice, make it simple and remove them, you can always add them back in.
All of the automatically generated rules from ASL will log anything they block (unless you disabled logging, but by default all logging is on by default), so once you do that check the ASL web console to see if its reporting that its rules are blocking anything. All ASL generated rules log if they block, third party and custom rules usually dont have any logging (its a personal pet peeve of mine when drop rules dont log, like the default rules with iptables, no logging so you have no idea its doing that).
If none of that helps, post your iptables rules so we can see whats going on.
https://www.atomicorp.com/wiki/index.ph ... #firewalls
This includes disabling the iptables service, you dont need it. And its always on by default, so if you didnt disable it, make sure you do and flush your rules as that article describes because they are probably already causing you problems.
Once you do that, if you have any custom rules you'll want to either add logging to them so you can figure out why they are blocking, or remove them so you can rule them out. My advice, make it simple and remove them, you can always add them back in.
All of the automatically generated rules from ASL will log anything they block (unless you disabled logging, but by default all logging is on by default), so once you do that check the ASL web console to see if its reporting that its rules are blocking anything. All ASL generated rules log if they block, third party and custom rules usually dont have any logging (its a personal pet peeve of mine when drop rules dont log, like the default rules with iptables, no logging so you have no idea its doing that).
If none of that helps, post your iptables rules so we can see whats going on.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
-
- Forum User
- Posts: 40
- Joined: Thu Feb 26, 2009 6:50 pm
Re: Per Port ACLs
Hi Mike,
Thanks for the background, looking at the docs you've pointed me to, I can see a couple of errors, the instructions refer to:
which as far as I am concerned on Centos here should be
Same for the service asl-firewall equivalents.
Anyway stopping iptables (which bizarrely gives me this result):
and then starting asl-firewall seems to do the trick.
Appreciate you clearing this up for me, the acl file now seems to work correctly, thanks!
Thanks for the background, looking at the docs you've pointed me to, I can see a couple of errors, the instructions refer to:
Code: Select all
service stop iptables
Code: Select all
service iptables stop
Anyway stopping iptables (which bizarrely gives me this result):
Code: Select all
iptables: Setting chains to policy ACCEPT: raw mangle nat f[ OK ]
iptables: Flushing firewall rules: [ OK ]
iptables: Unloading modules: iptable_raw iptable_mangle iptable_nat iptable_filter iptable_raw iptable_mangle iptable_nat iptable_filter ip_tables [FAILED]
Appreciate you clearing this up for me, the acl file now seems to work correctly, thanks!
Re: Per Port ACLs
The results from stopping iptables is expected. ASL doesn't allow unloading of kernel modules.