Centos7 firewall not blocking ports by default

Question

Problem: MySQL port 3306 is open and publicly accessible. I want to close it.

Firewall status

$ sudo firewall-cmd --state
running

$ sudo firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: ssh dhcpv6-client https http
  ports: 80/tcp 443/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

$ nmap IP
Starting Nmap 7.70 
..cut..
Host is up (0.47s latency).
Not shown: 994 filtered ports
PORT     STATE  SERVICE
22/tcp   closed ssh
80/tcp   open   http
443/tcp  open   https
3306/tcp open   mysql

Why is port 3306 open? Why aren't the ports closed by default?

No, the issue is with the server, I'm runing nmap from my local computer. — Putr, Jul 03 '19 at 13:57

score 1 · Answer 1 · answered Jul 03 '19 at 14:02

So I figured it out.

The port 3306 was exposed with docker and docker bypasses typical iptables rules. So .. yeah.

The solution was to change docker-composer.yml configuration from

ports:
 - 3306:3306

to

expose:
 - 3306

where expose will not expose the port publicly, only to other containers.

Centos7 firewall not blocking ports by default

1 Answers1