we are using an Ubuntu 12.04 x64 LTS VPS. Firewall being used is UFW.
I have setup a Varnish + LEMP setup. along with other things, including an Openswan IPSEC VPN from our office to the VPS data center. A second in house Ubuntu box is to act as MySQL slave and fetch data from the VPS through the VPN.
Master's ppp0 is seen as 10.1.2.1 from the slave, they ping etc.
I have done the various required tasks but I can't get the client (slave) MySQL (nor telnet 10.1.2.1 3306) to access the master through the VPN unless I issue this fairly obvious IPTables command:
iptables -A INPUT -s 10.1.2.0/24 -p tcp --dport 3306 -j ACCEPT
I willingly forced the accepted input to come from the last octet.
With this rule everything works just fine!
However I want to translate this command to UFW syntax so to keep everything in one place.
Now I admit being inexperienced with UFW, I prepared rules like:
ufw allow proto tcp from 10.1.2.0/24 port mysql
and 2-3 variations involving specifying 3306 instead of mysql, specifying a target IP (MySQL's my.cnf at the moment is configured as 0.0.0.0) and similar but I just don't seem to be able to replicate the simple iptables rule in a functional way.
Anyone could kindly give me a suggestion that is not to dump UFW?
Thanks in advance.
Answer
The command
ufw allow proto tcp from 10.1.2.0/24 port mysql
adds the following to iptables
iptables -L ufw-user-input -vn
Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 10.1.2.0/24 0.0.0.0/0 tcp spt:3306
note the spt
this says the source port of the packet needs to be 3306. You need to tell UFW to allow packets with a destination of port 3306.
ufw allow proto tcp from 10.1.2.0/24 to any port mysql
which adds a rule like this
iptables -L ufw-user-input -vn
Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 10.1.2.0/24 0.0.0.0/0 tcp dpt:3306
which will allow packets destined to port 3306 from 10.1.2.0/24.
No comments:
Post a Comment