How is iptables allowing access to 3306 if it's set to Drop all?

Question

I don't quite understand how I can connect to my database on port 3306, if my server is supposed to block everything but the shown ports.

    Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1     193K   12M DROP       all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            state NEW recent: UPDATE seconds: 60 hit_count: 12 name: DEFAULT side: source mask: 255.255.255.255
2     1934  118K            all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            state NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
3     531K  189M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
4        3   192 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
5       17  1262 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
6       66  6255 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
7        2   420 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:500
8        1   376 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:4500
9     1928  117K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1     524K  149M ACCEPT     all  --  *      *       10.10.10.0/24        0.0.0.0/0            policy match dir in pol ipsec proto 50
2     413K  659M ACCEPT     all  --  *      *       0.0.0.0/0            10.10.10.0/24        policy match dir out pol ipsec proto 50
3        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

The only idea I have is that ESTABLISHED option may have allowed the port to go through before the firewall was setup. But still, surely the port 3306 must appear somewhere. Otherwise, how does it still know after a reboot, which ports were established previously?

Mike Marseglia · Answer 1 · 2017-12-07T16:53:26.997

3

Outbound traffic to the MySQL RDS instance is allowed unless explicitly denied in an outbound rule.

edited Dec 07 '17 at 16:53

answered Dec 05 '17 at 20:28

Mike Marseglia

883
7
18

We don't know that, as the posted rules are incomplete. – Michael Hampton Dec 05 '17 at 21:04
@MichaelHampton yes, the rules are incomplete. But iptables applies the first rule that matches. We're looking at the first 9 rules. Doesn't that mean these rules will be applied first? I'm genuinely curious, in what situation would an unknown rule be applied? Are you thinking of a rule chain or something? – Mike Marseglia Dec 05 '17 at 22:13
The incomplete rules shown in the post do not show the interfaces to which the rules apply. It is very likely that the rule you are referring to is the common firewall rule which accepts all on the `lo` interface. This may or may not match the traffic in question, but the user wasn't specific about where that traffic originated. – Michael Hampton Dec 05 '17 at 22:52
Thank you, both. I have now added `-v` and hope to have clarified the missing piece of information. Would you mind to confirm that this is really the 5th rule causing this? In other words, my firewall is still too open? Please keep in mind this is a IPsec (IKEv2) VPN server. – Houman Dec 06 '17 at 10:23

score 0 · Answer 2 · answered Dec 06 '17 at 11:24

0

It is common for mysql to listen on 'localhost' or '127.0..0.1' This address is usually assigned to the lo device. Looking at your rules

num   pkts bytes target     prot opt in     out     source               destination
1     193K   12M DROP       all  --  eth0   *       0.0.0.0/0            0.0.0.0/0

This DROPs all packets arriving on the eth0 interface.

num   pkts bytes target     prot opt in     out     source               destination
5       17  1262 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0

This allows all packets arriving on the lo interface. Your mysql is listening on an an IP address associated with the lo interface (127.0.0.1) and therefore packets get to teh correct destination.

answered Dec 06 '17 at 11:24

user9517

114,104
20
206
289

Thank you. This is really interesting. I'm connecting to a MySQL instance on the RDS though. It's not localhost. (AWS). Still a bit of a mystery to me. Where would I find the IP address associated with the `lo` interface, please? Is that still done with iptables? – Houman Dec 06 '17 at 12:24
RDS is a remote service. To block it you need to work on he OUTPUT chain. – user9517 Dec 06 '17 at 13:46
Isn't it a bi-directional connection in that case? So shouldn't both input and output be affected? I don't wish to block it though. Just to understand how a remote service can connect to the lo-interface. – Houman Dec 06 '17 at 14:22

How is iptables allowing access to 3306 if it's set to Drop all?

2 Answers2