0
I have the following scenario:
I changed the port of Mysql 54235, on the Centos linux server, I accept connections from outside only on that port.
I have old and discontinued third-party software, where there is no option to change the default port 3306. However, this software must access from 2 external fixed ips.
How do I configure in linux to accept connection on port 3306 only from these 2 fixed ips, and internally redirect the connection to port 54235?
1
Initially an important point, in iptables the rules of PREROUTING that do port redirects perform before filter rules that define which ports can be accessed and by which Ips, as can be seen in the diagram below:
So when an IP tries to access the port 3306 it will first be redirected to the port 54235 and only then are executed the filtering rules from which ports it can access. This means that any IP that has access to the port 54235 will also be able to access the port 3306 even if you don’t have access to it since as soon as it accesses the door 3306 it will already be redirected and only then check if it can access (but now it is already in the port 54235).
Knowing this, if you want to continue then configure iptables as follows to allow access only to certain ip on port 3306 (this rule will not be useful because as stated above it will not be checked just put to make clear the rules of iptables):
sudo iptables -A INPUT -p tcp -s IP_AQUI --dport 3306 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 3306 -m conntrack --ctstate ESTABLISHED -j ACCEPT
The first rule you must repeat for the two Ips allowed, this will cause only the ips defined in this rule can initiate a connection on this port, the second step is to redirect the ports, the command is this:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3306 -j REDIRECT --to-port 54235
Finally not to allow other connections on the port 3306 (again this rule also will not be executed)
iptables -A INPUT -p tcp --dport 3306 -j DROP
To accept all connections on port 54235
iptables -A INPUT -p tcp --dport 54235 -j ACCEPT
And to modify the default policy for DROP
iptables -P INPUT DROP
Thank you very much. I will test and put the result.
Lucas, it worked right, no longer knew what to do. Grateful.
Turns out I need 15 reputation to score :/
Another detail Lucas, the redirect worked, however, I found that other Ips are having access, and only released 2 by the first command.
Searching forums, I added this command to block the 3306 port by default, but it didn’t work: iptables -A INPUT -p tcp --Destination-port 3306 -j DROP
@power I suppose you’re saying that other ips can connect using port 3306. I added this detail to my reply but summarizing here in iptables the rule of PREROUTING that does port forwarding runs before the rules that do access filtering, that means any ip when accessing port 3306 will be able to access if it also has access to port 54235.
From what I understand, so there is no way to make a PREROUTING without blocking other Ips? Is there an alternative solution that I can search?
Maybe some plugin but in this I can not help you because I do not know.
Lucas, just one more thing please, if you can help me. I created a server on Amazon to take advantage of the incoming ip filter they have. So I’m now willing to just redirect an external ip and port to another external ip and port. I tried the following commands, but without success: sudo iptables -t Nat -A PREROUTING -p tcp -d ip_externo_input --dport 3306 -j DNAT --to ip_externo_output:porta_output sudo iptables -A FORWARD -i eth0 -p tcp --dport porta_input -d ip_externo_input -j ACCEPT Thanks in advance for your attention.
Browser other questions tagged mysql linux centos firewall
You are not signed in. Login or sign up in order to post.
It is part of programming, because the database used in the system needs the specific release to be able to work on the server.
– Mylon