Using iptables, you can write network activity to the log file, that is, which data is sent to and from where it comes from.
Continue reading “Logging activity using IPTables”Tag Archives: IPTables
IPTables rules for MySQL
If iptables locks all incoming connections (INPUT DROP) and to add external access to MySQL, you need to add rules:
iptables -A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
To access only a particular network, for example 10.0.0.0/24:
iptables -A INPUT -s 10.0.0.0/24 -p tcp -m tcp --dport 3306 -j ACCEPT
To remove a rule, we’ll specify the same command, replacing -A with -D, for example:
iptables -D INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
To view the list of rules, use the command:
sudo iptables -nvL
I note that in order to open external access, you also need to comment out the line “bind-address = 127.0.0.1” in the my.cnf configuration file.
If by default INPUT ACCEPT, we first specify which IPs are allowed access, and only the last rule is blocked by all the others:
/sbin/iptables -A INPUT -s 127.0.0.1 -p tcp --destination-port 3306 -j ACCEPT /sbin/iptables -A INPUT -s 192.168.1.5 -p tcp --destination-port 3306 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 3306 -j DROP
For example, using nmap, you can check locally and externally whether the access is filtered:
nmap -p 3306 localhost nmap -p 3306 192.168.1.5
See also:
Configuring IPTables
Other my articles about MySQL
IPTables rules for NTP and SNTP
To open access to the NTP client and NTP server in IPTables, you need to add rules:
Continue reading “IPTables rules for NTP and SNTP”IPTables rules for FTP server
To open access to the FTP server in IPTables, you need to add rules:
sudo iptables -A INPUT -p tcp --dport 21 -j ACCEPT sudo iptables -A OUTPUT -p tcp --sport 20 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 1024:1030 -j ACCEPT
To only allow access to a particular network, for example 192.168.1.0/24:
sudo iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 21 -j ACCEPT sudo iptables -A OUTPUT -p tcp --sport 20 -j ACCEPT sudo iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 1024:1030 -j ACCEPT
To remove a rule, we’ll specify the same command, replacing -A with -D, for example:
sudo iptables -D INPUT -p tcp --dport 21 -j ACCEPT sudo iptables -D OUTPUT -p tcp --sport 20 -j ACCEPT sudo iptables -D INPUT -p tcp --dport 1024:1030 -j ACCEPT
To view the list of rules, use the command:
sudo iptables -nvL
1024-1030 – example ports for passive mode are specified in the FTP server configuration, for example for ProFTPd are specified in the /etc/proftpd/proftpd.conf file as follows:
PassivePorts 1024 1030
See also my articles:
Configuring IPTables
Active and passive FTP mode
Installing and Configuring Pure-FTPd in Ubuntu
Installing and Configuring ProFTPd in Ubuntu
IPTables rules for TFTP
To open the TFTP port in IPTables, we will run the rule:
Continue reading “IPTables rules for TFTP”IPTables rules for Asterisk
To allow SIP connection in IPTables, add rules (the first for connections, the second for voice traffic):
Continue reading “IPTables rules for Asterisk”