IPTables - redirect to another port and close the first one

Arvy · 05-19-2012, 10:38 PM

Hi there,

I have a server with MySQL on it. I want to close the original port (3306) to the world, but set another port (high number) to receive connections to MySQL, because my MySQL port is frequently scanned by "hackers", brute-force user/pass. I cannot change the TCP port on my.cfg for several reasons.

I already closed port 3306 but I cannot set the other port

What I did to redirect:

iptables -t nat -A PREROUTING -i bond1 -p tcp -m tcp --dport 63306 -j DNAT --to-destination 127.0.0.1:3306

I tryed to close public (valid IP) port and open a public port 63306 poiting to localhost (that is still acessible). I tryed other ways (using Redirect and Forward) with no success...

Well, I have good knowledge on Linux but not on IPTables.

Can you help me? Thank you.

fukawi1 · 05-20-2012, 01:36 AM

Quote:

I tryed to close public (valid IP) port and open a public port 63306 poiting to localhost (that is still acessible). I tryed other ways (using Redirect and Forward) with no success...

How did you try? Why didn't it work?

Based on the terminology you are using ("using Redirect and Forward"), it sounds to me like you would benefit from reading http://www.linuxhomenetworking.com/w...Using_iptables

The "-m tcp" is not necessary, setting the protocol to tcp implies the use of the tcp module..

Also keep in mind that matching by the interface bond1 will only match and therefore DNAT packets on that interface, if the packets are or could be coming in a different interface (physical or virtual), they wont be DNAT'ed.

And although (i think) technically valid, it is simpler, and neater to use REDIRECT rather than DNAT.

Code:

-j REDIRECT --to-port 3306

Quote:

This target is only valid in the nat table, in the PREROUTING and OUTPUT chains, and user-defined chains which are only called from those chains. It redirects the packet to the machine itself by changing the destination IP to the primary address of the incoming interface (locally-generated packets are mapped to the 127.0.0.1 address).
--to-ports port[-port]
This specifies a destination port or range of ports to use: without this, the destination port is never altered. This is only valid if the rule also specifies -p tcp or -p udp.
--random
If option --random is used then port mapping will be randomized (kernel >= 2.6.22).

From "man iptables"

Arvy · 05-20-2012, 06:57 PM

Thank you for your reply fukawi1.

Any combination that I made didnt work. I closed all ports and opened only the wanted ports, here is:

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:995
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:110
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:465
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:20
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:2100:2199
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:63306
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Note no rule for 3306, but there's a rule for 63306 that is the "alternative" port I'm trying to use to connect to MySQL. Since it's a "preroting" rule, it runs first, right?

Since 3306 is closed, I believe (not sure) that the rule is not working because 3306 is firewalled "after" the preroting. Probably the rule is right, but since 3306 is closed on bond1, it's "closing" 63306 as well. So, what I tryed to do is redirect bond1 63306 (public IP) to localhost 3306. In fact, I dont know if this is possible.

Any idea is appreciated.

Thank you.

Arvy · 05-21-2012, 11:48 AM

Well, solved using XINETD:

http://www.schaeuffelhut.de/wordpress/?p=6

Thank you anyway.