Portal Home > Knowledgebase > Articles Database > Iptables Multicraft
Iptables Multicraft
| Posted by Nascar, 07-14-2013, 10:35 PM |
| Hi there,
I've setup iptables on my centos dedicated server and am looking to see if it all looks ok and to see if anyone can help sort my problem. My aim is to block everything in,out,forward apart from the listed ports.
Problem: I get errors regarding unable to connect to mysql database.
Information: The Multicraft daemon connects to the panel which is on a separate machine via 25564 (panel listen port) and using remote mysql. I've whitelisted below the remote mysql port and the daemon port but still i get the errors.
When I turn iptables off it works perfectly. Is there a hidden port for remote mysql?
Here's my config:
Thanks
|
| Posted by nidhal, 07-14-2013, 10:45 PM |
| Try this:
iptables -A INPUT -p tcp -s ServerIPHere --sport 1024:65535 -d ServerIPHere --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s ServerIPHere --sport 3306 -d ServerIPHere --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
|
| Posted by Nascar, 07-14-2013, 10:57 PM |
| Still problem unfortunately.
Maybe I have to include the destination server IP somewhere in there.
|
| Posted by Master Bo, 07-15-2013, 01:24 AM |
| Perhaps this one:
|
| Posted by Nascar, 07-15-2013, 01:27 AM |
| I'm going to try this now.
Is -d and -s serverip for when you have multiple ips on one machine?
|
| Posted by Master Bo, 07-15-2013, 01:35 AM |
| If -d / -s isn't specified for a rule, 0/0 is assumed.
To affect multiple selected ips only, you can list multiple IPs/IP nets in -s/-d parameter, comma-separated, e.g.
iptables -A INPUT -p tcp -d ${SERVER_IP1},${SERVER_IP2},${SERVER_IP3} --dport 22 -j ACCEPT
|
| Posted by Nascar, 07-15-2013, 01:37 AM |
| Ok, so 0/0 would mean all ip's on the server or all interfaces?
Sorry new to this
|
| Posted by RA4W, 07-15-2013, 02:14 AM |
| I did this yesterday and since the Multicraft documentation is pretty poor. It took a while to get it all working pm me if you need help
|
| Posted by Master Bo, 07-15-2013, 03:01 AM |
| Yes, if '-s' is missing, '-s 0/0' is assumed.
I suspect that configuration isn't top secret. You could just post it here.
Last edited by Master Bo; 07-15-2013 at 03:01 AM.
Reason: answers merged
|
| Posted by Nascar, 07-15-2013, 03:35 AM |
| But does 0/0 mean all ip's or does it mean all interfaces or neither of these?
|
| Posted by madaboutlinux, 07-15-2013, 04:36 AM |
| 0/0 means all IPs on the main interface. Just wanted to confirm whether the daemon is running on a remote server and trying to connect your server on port 3306? If that's the case, the following command will serve the purpose
You should also check if outgoing port 3306 is allowed on the Multicraft daemon server.
|
| Posted by Nascar, 07-15-2013, 05:54 AM |
| Thanks for the reply.
I've got it working just now by removing this:
iptables -P OUTPUT DROP
And this:
iptables -A OUTPUT -j DROP
So my plan is to have this:
iptables -P OUTPUT ACCEPT
And find out which outgoing port is being blocked which is quite tricky unless there is a active tcp port scanner for linux?
If I set output to ACCEPT what will this do and what does this section do for DROP anyway?
# Set default chains policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
Also yum repo seem to be blocked or something as they keep not resolving.
What's the port for yum/repo?
Thanks
|
| Posted by Master Bo, 07-15-2013, 06:43 AM |
| When '-s' (-d) is omiitted, 0/0 is assumed which means any IP address will match the corresponding part (source or destination).
That applies to currently selected interface ('-i' for input< where packets is coming from, '-o' for output - where packet is going to). If -i/-o are also omitted, any interface will match.
In absence of both interface(s) and source/destination parameters, any IP on any interface will match the rule.
yum uses HTTP/HTTPS (80/tcp, 443/tcp).
Note: unless you allow DNS requests (53/udp, 53/tcp), domain name resolution won't work, either.
Last edited by Master Bo; 07-15-2013 at 06:53 AM.
Reason: answers merged
|
| Posted by madaboutlinux, 07-15-2013, 07:02 AM |
| Yes, changing the default policy to ACCEPT means all traffic from all ports to all ports is allowed i.e. incoming and outgoing which is why your application started to work. DROP means block all traffic to/from all ports i.e. incoming and outgoing.
To allow traffic from particular IPs on particular ports, you should set policy to DROP and allow the ports you want. BTW, why don't you use CSF firewall, it will be easy for you to manage traffic using its configuration, allow/deny files.
|
| Posted by Nascar, 07-15-2013, 08:07 AM |
| Well, I've got this:
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
does this mean input and output on all ports is accepted or just all output ports?
also yum doesn't work using the rules posted above. only when i accept output and comment out iptables -A OUTPUT -j DROP.
I might just leave output open, seems easier. What are the risks of having output open?
Last edited by Nascar; 07-15-2013 at 08:12 AM.
|
| Posted by madaboutlinux, 07-15-2013, 08:40 AM |
| OUTPUT ACCEPT' means all outgoing traffic from your server is allowed and 'INPUT DROP' means all incoming is blocked unless you have written rules to allow some specific traffic. You should also allow port 53 (UDP protocol) in INPUT and OUPUT chain so you can install packages using YUM even setting OUTPUT chain to DROP.
|
Add to Favourites 
Print this Article
Also Read
Shared Hosting
Shared Hosting
