vicidial.org

[iboam]

Hi everyone i need access to mysql database from a remote location (hosting server). i want to insert/edit the vicidial_list table but with the firewall on i'm unable to connect, if the firewall is off it works perfect, any solutions ??

[ambiorixg12]

White list the MYSQL port (3306) for the trusted IP, I use iptable for that, I dont have expertise using YAST

[williamconley]

White list the MYSQL port (3306) for the trusted IP, I use iptable for that, I dont have expertise using YAST

Very true. Example:

Code: Select all

iptables -I INPUT -1 -s 99.99.99.99 -j ACCEPT

If you are "99.99.99.99" and you trust yourself, you're fairly safe. Just remember that it applies to everyone at that IP address, so if you're on your laptop at Starbucks ... everyone there is included. This example opens all ports so you'll have ssh access (for PuTTY) and web, phone registration, etc.

[iboam]

# CLEAR ALL IPTABLE RULES
iptables -F
iptables -X

# ALLOW SYSTEM TRAFFIC
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# ALLOW ALL TRAFFIC FROM TRUSTED SOURCES #
iptables -A INPUT -s XXX.XXX.XXX.XXX -j ACCEPT #Home Office

iptables -A INPUT -s XXX.XXX.XXX.XXX -j ACCEPT #Remote Server

# T-MOBILE
iptables -A INPUT -s 100.128.0.0/9 -j ACCEPT #iPhone
iptables -A INPUT -s 172.32.0.0/11 -j ACCEPT #iPhone
iptables -A INPUT -s 208.54.0.0/17 -j ACCEPT #iPhone
iptables -A INPUT -s 208.54.128.0/19 -j ACCEPT #iPhone
iptables -A INPUT -s 50.28.192.0/18 -j ACCEPT #iPhone
iptables -A INPUT -s 162.160.0.0/11 -j ACCEPT #iPhone
iptables -A INPUT -s 206.29.160.0/19 -j ACCEPT #iPhone
iptables -A INPUT -s 216.155.160.0/20 -j ACCEPT #iPhone
iptables -A INPUT -s 66.94.0.0/19 -j ACCEPT #iPhone
iptables -A INPUT -s 72.250.0.0/17 -j ACCEPT #iPhone


#iptables -I INPUT -p tcp --match multiport --dports 80,443,8089 -s XXX.XXX.XXX.XXX -j ACCEPT
#iptables -I INPUT -p udp --match multiport --dports 8989,5060,5061,10000:25000 -s XXX.XXX.XXX.XXX -j ACCEPT

# SSL CERTIFICATE VERIFICATION
#iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# DROP ALL UNAUTHORIZED TRAFFIC
iptables -A INPUT -j DROP

# DROP ALL FORWARDING TRAFFIC
iptables -P FORWARD DROP

# ALLOW OUTBOUND TRAFFIC
iptables -P OUTPUT ACCEPT

iptables-save
iptables -vnL

Im using this iptables rules to restrict all traffic to server, do i have to turn off yast firewall manualy ???

[williamconley]

yast firewall is iptables. so you'd be shutting off the firewall you just built. which would probably be counterproductive.

[iboam]

im trying this settings without results

# CLEAR ALL IPTABLE RULES
iptables -F
iptables -X

at this point i'm able to connect to database remotely but system is open to anyone

then add my home office ip address and remote server for db connection

# ALLOW ALL TRAFFIC FROM TRUSTED SOURCES #
iptables -A INPUT -s XXX.XXX.XXX.XXX -j ACCEPT #Home Office
iptables -A INPUT -s XXX.XXX.XXX.XXX -j ACCEPT #Remote Server

at this point i'm able to connect to database remotely too and still system is open to anyone

# DROP ALL UNAUTHORIZED TRAFFIC
iptables -A INPUT -j DROP

then drop all incoming traffic not authorized and there's no connection from the remote server.

i tried using this iptable setting for port 3306 but no result

iptables -A INPUT -i eth0 -s XXX.XXX.XXX.XXX -p tcp --destination-port 3306 -j ACCEPT

[williamconley]

Code: Select all

iptables-save

this shows the present firewall (contrary to what you may think: It doesn't "save" anything, it just dumps to the screen! you CAN save it to a file and use it to regenerate the present status by using iptables-restore on that saved file).

note that when you add a new rule at the top, it executes first. if your first rule is "drop all packets", the following "accept these ones" never get a chance to execute.

set your INPUT chain to have DROP as the last item. alternately, you can set the default action for the INPUT chain to be DROP, which will automatically drop any packet that gets to the end without matching a rule.

or you could follow the instructions for installing Dynamic Good Guys, which describes how to set up your system as a whitelisted system before the install (if you skip the install, all you've done is what your goal is: locked down the system and allow only whitelisted IPs to access the server). any whitelisted IPs will have full access, including mysql.