Firewall security question
I have two linodes. The first one is running MySql and I want to connect to it from the second one.
Currently the iptables firewall rules for the first linode are the following:
*filter
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allows all outbound traffic
-A OUTPUT -j ACCEPT
# Allows HTTP connections from anywhere
-A INPUT -p tcp --dport 80 -j ACCEPT
# Allows SSH connections
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
I'm planning to add the following rule:
-A INPUT -s 192.168.XXX.XXX -d 192.168.YYY.YYY -p tcp --dport 3306 -j ACCEPT
Where 192.168.XXX.XXX is the private IP of the linode from where I want to connect and 192.168.YYY.YYY is the private IP of the linode where MySql is running.
I am not an expert in iptables so I'm asking here if this looks OK. Thanks
8 Replies
@fergtm:
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
Typo, should be:
-A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT
I wouldn't recommend mysql bound to your public IP address. Also if you are concern about privacy I would encrypt your private traffic between your nodes.
–
Travis
@obs:
Linode private ips are only private to the data centre, so in theory if a linode in the same centre got cracked then in theory they could sniff your traffic, so at the very least use https between your linodes, if you start using more services between them then consider using a vpn.
http://library.linode.com/networking/openvpn/
No, they can't sniff your traffic, because the linode can't enter promiscuous mode no matter how compromised it gets. They'd have to compromise the host machine to do that.
@Guspaz:
No, they can't sniff your traffic, because the linode can't enter promiscuous mode no matter how compromised it gets. They'd have to compromise the host machine to do that.
Even that wouldn't likely help on average since it's extremely unlikely the private network isn't a switched fabric, so at best you'd be able to see broadcast traffic, not random unicast traffic between Linode pairs.
Unless you cracked the host machine on which one of the endpoint Linodes resided (since then you've got a box that is middle man in the stream), but in that case there are bigger problems than traffic sniffing…
To the OP, another option you might consider is just opening up a general hole (any port) but limit it specifically to the private IP address of the opposing Linode. Locks traffic down fairly well, but no maintenance overhead over time if you wish to do more than just database operations between the nodes.
-- David
@otherbbs:
@fergtm:-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
Typo, should be:-A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT–
Travis
Thanks, The firewall have been running with that typo for a while. I just copied the rules from a tutorial, what was exactly doing wrong?.
@Guspaz:
@obs:Linode private ips are only private to the data centre, so in theory if a linode in the same centre got cracked then in theory they could sniff your traffic, so at the very least use https between your linodes, if you start using more services between them then consider using a vpn.
http://library.linode.com/networking/openvpn/ No, they can't sniff your traffic, because the linode can't enter promiscuous mode no matter how compromised it gets. They'd have to compromise the host machine to do that.
So basically the current configuration looks ok?. I've already made the changes. Using nmap to the public IP shows only http/https/ssh open and the rest of the ports as filtered.
@db3l:
To the OP, another option you might consider is just opening up a general hole (any port) but limit it specifically to the private IP address of the opposing Linode. Locks traffic down fairly well, but no maintenance overhead over time if you wish to do more than just database operations between the nodes.
– David
Not sure how to do this. Is that allowing all traffic from the other Linode?
@fergtm:
@db3l:To the OP, another option you might consider is just opening up a general hole (any port) but limit it specifically to the private IP address of the opposing Linode. Locks traffic down fairly well, but no maintenance overhead over time if you wish to do more than just database operations between the nodes.
– David
Not sure how to do this. Is that allowing all traffic from the other Linode?
Right - just have a single allow rule (ACCEPT action) for a source IP address of your other Linode.
Something like "-A INPUT -s #.#.#.# -j ACCEPT". Then do the same on the other end, with the opposing IP address.
– David
@fergtm:
Thanks, The firewall have been running with that typo for a while. I just copied the rules from a tutorial, what was exactly doing wrong?.
The ! (NOT) was in the wrong location. The -i is for the interface. As posted it was 'NOT –interface lo' (local). which should have produced an error. The ! (NOT) can be used after -s (source), -d (destination), etc.
The rule you posted originally you were going to add will work, but since you are REJECTing all other traffic you will probably need a rule for both directions, such as:
-A INPUT -s 192.168.XXX.XXX -d 192.168.YYY.YYY -p tcp --dport 3306 -j ACCEPT
-A INPUT -s 192.168.YYY.YYY -d 192.168.XXX.XXX -p tcp --sport 3306 -j ACCEPT
Note the –dport and --sport. Also the order of the rules makes a difference.
--
Travis