Thursday, October 1, 2015

mysql - Translating IPTables rule to UFW



we are using an Ubuntu 12.04 x64 LTS VPS. Firewall being used is UFW.

I have setup a Varnish + LEMP setup. along with other things, including an Openswan IPSEC VPN from our office to the VPS data center. A second in house Ubuntu box is to act as MySQL slave and fetch data from the VPS through the VPN.



Master's ppp0 is seen as 10.1.2.1 from the slave, they ping etc.



I have done the various required tasks but I can't get the client (slave) MySQL (nor telnet 10.1.2.1 3306) to access the master through the VPN unless I issue this fairly obvious IPTables command:



iptables -A INPUT -s 10.1.2.0/24 -p tcp --dport 3306 -j ACCEPT


I willingly forced the accepted input to come from the last octet.

With this rule everything works just fine!



However I want to translate this command to UFW syntax so to keep everything in one place.



Now I admit being inexperienced with UFW, I prepared rules like:



ufw allow proto tcp from 10.1.2.0/24 port mysql


and 2-3 variations involving specifying 3306 instead of mysql, specifying a target IP (MySQL's my.cnf at the moment is configured as 0.0.0.0) and similar but I just don't seem to be able to replicate the simple iptables rule in a functional way.




Anyone could kindly give me a suggestion that is not to dump UFW?



Thanks in advance.


Answer



The command



ufw allow proto tcp from 10.1.2.0/24 port mysql



adds the following to iptables



iptables -L ufw-user-input -vn
Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source destination

0 0 ACCEPT tcp -- * * 10.1.2.0/24 0.0.0.0/0 tcp spt:3306


note the spt this says the source port of the packet needs to be 3306. You need to tell UFW to allow packets with a destination of port 3306.




ufw allow proto tcp from 10.1.2.0/24 to any port mysql


which adds a rule like this



iptables -L ufw-user-input -vn
Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source destination


0 0 ACCEPT tcp -- * * 10.1.2.0/24 0.0.0.0/0 tcp dpt:3306


which will allow packets destined to port 3306 from 10.1.2.0/24.


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...