I'm setting up a test/lab environment for a team of developers who also happen to need a database.
I've set up a Centos 7 VPS onto which I've installed the application server, the database and an Openvpn instance.
I'm using iptables to filter the traffic, and nothing but 1194/udp is exposed to the internet, I'm accepting just what i need from the tunnel interface. (I'm actually accepting 22/tcp from the internet temporarily, because i'm fiddling with the vpn config. I'm using ssh keys and root cannot remotely login anyway)
The problem is I can reach the server via SSH, and I also see the application landing page (which is served at 8080/tcp), but I can't connect to the database.
Here are the firewall rules:
[root@grolloserver ~]# iptables -nvL
Chain INPUT (policy DROP 198 packets, 19717 bytes)
pkts bytes target prot opt in out source destination
48218 4934K f2b-SSH tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
25541 1143K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
3 120 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
72983 14M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
31 1302 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1194
2 1570 ACCEPT icmp -- tun0 * 0.0.0.0/0 0.0.0.0/0
2 92 ACCEPT tcp -- tun0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
1 44 ACCEPT tcp -- tun0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080
0 0 ACCEPT tcp -- tun0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306
36412 3741K LOGGING all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
128 6608 ACCEPT all -- tun0 * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 1077 packets, 287K bytes)
pkts bytes target prot opt in out source destination
Chain LOGGING (1 references)
pkts bytes target prot opt in out source destination
36412 3741K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "iptables dropped: "
Chain f2b-SSH (1 references)
pkts bytes target prot opt in out source destination
Things I've tried:
- Setting the default INPUT policy to ACCEPT - didn't work
- Binding mariadb to eth0 and accepting (for 30 seconds) traffic from everywhere (I could connect to the db)
- Binding mariadb to tun0 - didn't work
- Binding mariadb to every interface (both by setting bind-address to 0.0.0.0 and by commenting it)
- Stopping mariadb and setting sshd to listen to both 22 and 3306 (i couldn't connect to 3306)
- Sniffing the traffic I see 3306/tcp coming from tun0, but putting a rule as INPUT #1 to log every 3306/tcp traffic didn't show anything
Firewalld is masked and stopped.
SELinux is disabled.
mssfix is set to 1430 (1470 which is the MTU with which i successfully ping the VPN gateway - 40).
Do you guys have any advice?
Thanks.
EDIT: I forgot to mention, the connection times out after ~15 seconds. Iptables counters are at zero (I didn't reset them). ss -nal4 shows mariadb listening on the tun0 interface ip address.
Answer
Solved!
The problem was I had set a prerouting rule to NAT db requests to another db and of course, i forgot about it.
That is the reason the traffic didn't even reach the INPUT chain.
No comments:
Post a Comment