[ILUG] MySQL V4 with SSL has problems with iptables
paul at clubi.ie
paul at clubi.ie
Wed Oct 15 14:56:30 IST 2008
On Wed, 15 Oct 2008, Andrew McGill wrote:
> It sounds as if you have rules like this:
>
> iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A INPUT -p tcp --dport 3306 -m state --state NEW -j ACCEPT
> iptables -A INPUT -j DROP
>
> This would mean that traffic which is not known by the state table
> will get ignored. This means that the only way the client will
> know that its connection to the server has gone bad is that it will
> time out. (15 minutes is not such a bad timeout if you are going
> between continents.)
> You can change the ACCEPT rule to accept *any* traffic to port 3306,
> regardless of the state the firewall thinks the connection is in. That will
> give the kernel a chance to say "your connection has gone away" (or not):
>
> iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
> iptables -A INPUT -j DROP
Even better, just get rid of the state module entirely for TCP and
just filter out packets that have SYN set:
iptables -A ... -p !tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A ... -p tcp --dport 3306 -j ACCEPT
<insert other -p tcp --dport .... -j ACCEPT rules here>
iptables -A ... -p tcp --syn -j DROP
Hey presto, much more reliable firewalling of TCP. Using stateful
firewalling for TCP is just brain-dead, as a rule-of-thumb.
(Admins of networks with ancient, Win3.11/Win95 era OSes may disagree
- such admins are few these days..).
regards,
--
Paul Jakma paul at clubi.ie paul at jakma.org Key ID: 64A2FF6A
Fortune:
While we are sleeping, two-thirds of the world is plotting to do us in.
-- Dean Rusk
More information about the ILUG
mailing list