We have a Centos 6 VPS that was recently migrated to a new machine within the same web hosting company. It's running WHM/cPanel and has csf/lfd installed. csf is set up with mostly vanilla config. I'm no iptables expert, csf has not let me down before. If a port isn't in the TCP_IN list, it should be blocked on the firewall by iptables.
My problem is that I can telnet to port 3306 from an external host, yet I think iptables ought to be blocking 3306 because of csf's rules. We are now failing a security check because of this open port. (this output is obfuscated to protect the innocent: www.ourhost.com is the host with the firewall problem)
[root@nickfenwick log]# telnet www.ourhost.com 3306
Trying 158.255.45.107...
Connected to www.ourhost.com.
Escape character is '^]'.
HHost 'nickfenwick.com' is not allowed to connect to this MySQL serverConnection closed by foreign host.
So the connection is established, and MySQL refuses the connection due to its configuration. I need the network connection to be refused at the firewall level, before it reaches MySQL.
Using WHM's csf web UI I can see 'Firewall Configuration' includes a fairly sensible TCP_IN line:
TCP_IN: 20,21,22,25,53,80,110,143,222,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096,8080
(lets ignore that I could trim that a little for now, my concern is that 3306 is not listed in that list)
When csf is restarted it logs the usual slew of output as it sets up iptables rules, for example what looks like it blocking all traffic and then allowing specific ports like SSH on 22:
[cut]
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0
[cut]
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:22
[cut]
I can see that iptables is running, service iptables status
returns a long list of firewall rules.
Here is my Chain INPUT
section from service iptables status
, hopefully that's enough to show how the firewall is configured.
Table: filter
Chain INPUT (policy DROP)
num target prot opt source destination
1 acctboth all -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT tcp -- 217.112.88.10 0.0.0.0/0 tcp dpt:53
3 ACCEPT udp -- 217.112.88.10 0.0.0.0/0 udp dpt:53
4 ACCEPT tcp -- 217.112.88.10 0.0.0.0/0 tcp spt:53
5 ACCEPT udp -- 217.112.88.10 0.0.0.0/0 udp spt:53
6 ACCEPT tcp -- 8.8.4.4 0.0.0.0/0 tcp dpt:53
7 ACCEPT udp -- 8.8.4.4 0.0.0.0/0 udp dpt:53
8 ACCEPT tcp -- 8.8.4.4 0.0.0.0/0 tcp spt:53
9 ACCEPT udp -- 8.8.4.4 0.0.0.0/0 udp spt:53
10 ACCEPT tcp -- 8.8.8.8 0.0.0.0/0 tcp dpt:53
11 ACCEPT udp -- 8.8.8.8 0.0.0.0/0 udp dpt:53
12 ACCEPT tcp -- 8.8.8.8 0.0.0.0/0 tcp spt:53
13 ACCEPT udp -- 8.8.8.8 0.0.0.0/0 udp spt:53
14 LOCALINPUT all -- 0.0.0.0/0 0.0.0.0/0
15 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
16 INVALID tcp -- 0.0.0.0/0 0.0.0.0/0
17 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
18 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:20
19 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21
20 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
21 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25
22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53
23 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
24 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:110
25 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:143
26 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:222
27 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
28 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:465
29 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:587
30 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:993
31 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:995
32 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2077
33 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2078
34 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2082
35 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2083
36 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2086
37 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2087
38 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2095
39 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2096
40 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8080
41 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:20
42 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:21
43 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
44 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:222
45 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:8080
46 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
47 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0
48 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11
49 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3
50 LOGDROPIN all -- 0.0.0.0/0 0.0.0.0/0
What's the next thing to check?