Looking to make a mysql database server for web-servers.
The server has a public & private interface and I need some assistance writing the rules.
I want to only allow SSH, mysql via private interface, and shutdown the public interface essentially
iptables -nL -v --line-numbers
Allow Public and Private if initiated by server.
iptables -I INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
Allow Loopback to localhost
iptables -A INPUT -i lo -j ACCEPT
Block all incoming traffic via public interface.
??
Block all SSH via public interface
iptables -A INPUT -i eth0 -p tcp --destination-port 22 -j DROP
Allow SSH via private interface from 1 IP.
iptables -A INPUT -p tcp -s PRIVATE_IP --dport 22 -i eth1 -j ACCEPT
Allow mysql via private interface from specific IP. Reject mysql via eth0 (public)
iptables -A INPUT -i eth1 -p tcp --dport mysql -s PRIVATE_IP -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport mysql -j REJECT
Allow Ping on eth1 (private), but not eth0 (public)
iptables -A INPUT -i eth1 -p icmp -j ACCEPT
iptables -A INPUT -i eth0 -p icmp -j REJECT
Drop Public connections
iptables -A INPUT -i eth0 -j DROP
Do I have all my bases covered?
Answer
Do I have all my bases covered?
When speaking of a public facing server, one should never think to be ultimately safe; other than that, I would set a DROP policy for the INPUT chain, and after that allow only what is really required.
For example, after a
iptables -P INPUT DROP
it wouldn't be necessary to specify the
iptables -A INPUT -i eth0 -p tcp -m tcp --dport mysql -j REJECT
No comments:
Post a Comment