mysql port 3306

bulliver · 04-17-2003, 06:35 PM

Well, this isn't a security issue per se, but I am curious about a few things. I only run a webserver, so my iptables firewall drops everything not destined for port 80, however, when I run nmap it shows 3306 mysql as open.

I do use mysql, but it is on the same computer so I don't need the port open right?

Why does port 3306 ignore my firewall rules? Anyone know what's up?

Hangdog42 · 04-17-2003, 06:44 PM

You might want to post your iptables script to get a better answer. However, I'll hazard the guess that your script isn't blocking internal requests. In other words, if you used nmap to scan from a different computer, you might not see port 3306 open.

Of course without seeing your iptables rules, this is nothing more than a WAG.

bulliver · 04-17-2003, 07:27 PM

Hey, maybe you're right.

Here's the relevant sections:

Code:

# set a sane policy:    everything not accepted > /dev/null
iptables -P INPUT    DROP
iptables -P FORWARD  DROP
iptables -P OUTPUT   DROP

# allow local-only connections
iptables -A INPUT  -i lo -j ACCEPT

# free output on any interface to any ip for any service (equal to -P ACCEPT)
iptables -A OUTPUT -j ACCEPT

# permit answers on already established connections
# and permit new connections related to established ones (eg active-ftp)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# accepts http requests at port 80 
iptables -A INPUT -p tcp --dport 80  -j ACCEPT

Perhaps you could scan me to see...my domain is in my sig

jeremy · 04-17-2003, 08:51 PM

If you never connect to mysql over the network you may want to add

Code:

skip-networking

to your [mysqld] section in /etc/my.cnf.

--jeremy

bulliver · 04-17-2003, 09:00 PM

Cool, thanks Jeremy. Worked perfectly...