iptables how to close mysql port 3306

Andrew Kelly akelly at corisweb.org
Tue Apr 4 08:55:45 UTC 2006 

On Tue, 2006-04-04 at 10:32 +0200, Administrator TOOTAI wrote:
> Andrew Kelly wrote:
> > On Tue, 2006-04-04 at 01:28 +0200, Maxim Vexler wrote:
> >   
> >> On 4/4/06, Ted Potter <tpotter at techmarin.com> wrote:
> >>     
> >>> On 4/3/06, Ted Potter <tpotter at techmarin.com> wrote:
> >>>       
> >>>> On 4/3/06, A. Khattri <ajai at bway.net> wrote:
> >>>>         
> >>>>> On Mon, 3 Apr 2006, Ted Potter wrote:
> >>>>>
> >>>>>           
> >>>>>> To make it fun, no I can not install anything. No there is not gui.
> >>>>>> Everthing I do must be from
> >>>>>> the command line on the box. Bout the only blessing is I can ssh in to the
> >>>>>> box as root.
> >>>>>>
> >>>>>> Thanks for any who care to play and share.
> >>>>>>
> >>>>>> PS
> >>>>>>
> >>>>>> I tried the following:
> >>>>>>
> >>>>>> iptables -A INPUT -p tcp -d 3306 -j REJECT
> >>>>>>
> >>>>>> then I see
> >>>>>>
> >>>>>> iptables --list
> >>>>>> REJECT tcp -- anywhere 0.0.12.234 reject-wthi icmp-port-unreachable
> >>>>>>
> >>>>>> and I can still log on to the server remotely.
> >>>>>>             
> >>>>> Much easier to edit /etc/my.cnf and tell MySQL to not use networking
> >>>>> (skip-networking) or tell it to listen on 127.0.0.1 (bind-address).
> >>>>>           
> >>>> Thanks for the tip, however I can find no such file on the server. Darn it
> >>>> that would of been a sweet fix.
> >>>>
> >>>> Thank you !
> >>>>
> >>>> Ted
> >>>>         
> >>> ok so I tried this
> >>> # iptables -A INPUT -p tcp  -dports 3306 -j DROP
> >>> Bad argument 3306
> >>> #
> >>> huh ? the manual states -dports is an valid alias for --destination-ports
> >>>
> >>> OK so
> >>> [root at d7148 bin]# iptables -A INPUT -p tcp  -dports 3306 -j DROP
> >>> Bad argument `3306'
> >>> Try `iptables -h' or 'iptables --help' for more information.
> >>> [root at d7148 bin]# iptables -A INPUT -p tcp  --dports 3306 -j DROP
> >>> iptables v1.2.8: Unknown arg `--dports'
> >>> Try `iptables -h' or 'iptables --help' for more information.
> >>> [root at d7148 bin]#
> >>> [root at d7148 bin]# iptables -A INPUT -p tcp  --destination-ports  3306 -j DROP
> >>> iptables v1.2.8: Unknown arg `--destination-ports'
> >>> Try `iptables -h' or 'iptables --help' for more information.
> >>> [root at d7148 bin]# iptables -A INPUT -p tcp  -destination-ports  3306 -j DROP
> >>> Bad argument `3306'
> >>> Try `iptables -h' or 'iptables --help' for more information.
> >>>
> >>> Any other ideas ? - for now I am going to find a cli interface that might help
> >>> get this done.
> >>>
> >>>       
> >> For tcp it [-dport] && [--destination-port], that is no ('s) at the end.
> >> Other then that the filter looks OK.
> >>     
> >
> > No, no, dports and destination-ports were correct. The problem is that
> > a double hyphen is required and appears to have been forgotten.
> >
> > 	--dports and NOT -dports
> >   
> Hmmh, Debian SARGE:
> 
> # Accept http from our Network's
>     $IPTABLES -A INPUT -i ! $EXTERNAL_DEVICE    -p TCP  --dport 80   -j 
> ACCEPT

I'm sorry, you're absolutely right, of course. I tripped over my use of
the multiport extention. My bad.

But it was still the missing hyphen in --dport(s) causing the problems.

Andy

More information about the Redhat-install-list mailing list