MySQL port 3306 blocked in csf yet can still telnet to port 3306 from external host

Posted by Neek on Server Fault See other posts from Server Fault or by Neek
Published on 2012-11-08T04:47:04Z Indexed on 2012/11/08 5:05 UTC
Read the original article Hit count: 322

Filed under:
|

We have a Centos 6 VPS that was recently migrated to a new machine within the same web hosting company. It's running WHM/cPanel and has csf/lfd installed. csf is set up with mostly vanilla config. I'm no iptables expert, csf has not let me down before. If a port isn't in the TCP_IN list, it should be blocked on the firewall by iptables.

My problem is that I can telnet to port 3306 from an external host, yet I think iptables ought to be blocking 3306 because of csf's rules. We are now failing a security check because of this open port. (this output is obfuscated to protect the innocent: www.ourhost.com is the host with the firewall problem)

[root@nickfenwick log]# telnet www.ourhost.com 3306
Trying 158.255.45.107...
Connected to www.ourhost.com.
Escape character is '^]'.
HHost 'nickfenwick.com' is not allowed to connect to this MySQL serverConnection closed by foreign host.

So the connection is established, and MySQL refuses the connection due to its configuration. I need the network connection to be refused at the firewall level, before it reaches MySQL.

Using WHM's csf web UI I can see 'Firewall Configuration' includes a fairly sensible TCP_IN line:

TCP_IN: 20,21,22,25,53,80,110,143,222,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096,8080

(lets ignore that I could trim that a little for now, my concern is that 3306 is not listed in that list)

When csf is restarted it logs the usual slew of output as it sets up iptables rules, for example what looks like it blocking all traffic and then allowing specific ports like SSH on 22:

[cut]
DROP  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  
[cut]
ACCEPT  tcp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  state NEW tcp dpt:22 
[cut]

I can see that iptables is running, service iptables status returns a long list of firewall rules.

Here is my Chain INPUT section from service iptables status, hopefully that's enough to show how the firewall is configured.

Table: filter
Chain INPUT (policy DROP)
num  target     prot opt source               destination         
1    acctboth   all  --  0.0.0.0/0            0.0.0.0/0           
2    ACCEPT     tcp  --  217.112.88.10        0.0.0.0/0           tcp dpt:53 
3    ACCEPT     udp  --  217.112.88.10        0.0.0.0/0           udp dpt:53 
4    ACCEPT     tcp  --  217.112.88.10        0.0.0.0/0           tcp spt:53 
5    ACCEPT     udp  --  217.112.88.10        0.0.0.0/0           udp spt:53 
6    ACCEPT     tcp  --  8.8.4.4              0.0.0.0/0           tcp dpt:53 
7    ACCEPT     udp  --  8.8.4.4              0.0.0.0/0           udp dpt:53 
8    ACCEPT     tcp  --  8.8.4.4              0.0.0.0/0           tcp spt:53 
9    ACCEPT     udp  --  8.8.4.4              0.0.0.0/0           udp spt:53 
10   ACCEPT     tcp  --  8.8.8.8              0.0.0.0/0           tcp dpt:53 
11   ACCEPT     udp  --  8.8.8.8              0.0.0.0/0           udp dpt:53 
12   ACCEPT     tcp  --  8.8.8.8              0.0.0.0/0           tcp spt:53 
13   ACCEPT     udp  --  8.8.8.8              0.0.0.0/0           udp spt:53 
14   LOCALINPUT  all  --  0.0.0.0/0            0.0.0.0/0           
15   ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
16   INVALID    tcp  --  0.0.0.0/0            0.0.0.0/0           
17   ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
18   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:20 
19   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:21 
20   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
21   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25 
22   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:53 
23   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80 
24   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:110 
25   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:143 
26   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:222 
27   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443 
28   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:465 
29   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:587 
30   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:993 
31   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:995 
32   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:2077 
33   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:2078 
34   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:2082 
35   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:2083 
36   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:2086 
37   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:2087 
38   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:2095 
39   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:2096 
40   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:8080 
41   ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:20 
42   ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:21 
43   ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:53 
44   ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:222 
45   ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:8080 
46   ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8 
47   ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 0 
48   ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 11 
49   ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 3 
50   LOGDROPIN  all  --  0.0.0.0/0            0.0.0.0/0           

What's the next thing to check?

© Server Fault or respective owner

Related posts about iptables

Related posts about csf