LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 05-19-2012, 10:38 PM   #1
Arvy
LQ Newbie
 
Registered: May 2012
Posts: 3

Rep: Reputation: Disabled
Question IPTables - redirect to another port and close the first one


Hi there,

I have a server with MySQL on it. I want to close the original port (3306) to the world, but set another port (high number) to receive connections to MySQL, because my MySQL port is frequently scanned by "hackers", brute-force user/pass. I cannot change the TCP port on my.cfg for several reasons.

I already closed port 3306 but I cannot set the other port

What I did to redirect:

iptables -t nat -A PREROUTING -i bond1 -p tcp -m tcp --dport 63306 -j DNAT --to-destination 127.0.0.1:3306

I tryed to close public (valid IP) port and open a public port 63306 poiting to localhost (that is still acessible). I tryed other ways (using Redirect and Forward) with no success...

Well, I have good knowledge on Linux but not on IPTables.

Can you help me? Thank you.

Last edited by Arvy; 05-19-2012 at 10:39 PM.
 
Old 05-20-2012, 01:36 AM   #2
fukawi1
Member
 
Registered: Apr 2009
Location: Melbourne
Distribution: Fedora & CentOS
Posts: 854

Rep: Reputation: 192Reputation: 192
Quote:
I tryed to close public (valid IP) port and open a public port 63306 poiting to localhost (that is still acessible). I tryed other ways (using Redirect and Forward) with no success...
How did you try? Why didn't it work?

Based on the terminology you are using ("using Redirect and Forward"), it sounds to me like you would benefit from reading http://www.linuxhomenetworking.com/w...Using_iptables

The "-m tcp" is not necessary, setting the protocol to tcp implies the use of the tcp module..

Also keep in mind that matching by the interface bond1 will only match and therefore DNAT packets on that interface, if the packets are or could be coming in a different interface (physical or virtual), they wont be DNAT'ed.

And although (i think) technically valid, it is simpler, and neater to use REDIRECT rather than DNAT.
Code:
-j REDIRECT --to-port 3306
Quote:
This target is only valid in the nat table, in the PREROUTING and OUTPUT chains, and user-defined chains which are only called from those chains. It redirects the packet to the machine itself by changing the destination IP to the primary address of the incoming interface (locally-generated packets are mapped to the 127.0.0.1 address).
--to-ports port[-port]
This specifies a destination port or range of ports to use: without this, the destination port is never altered. This is only valid if the rule also specifies -p tcp or -p udp.
--random
If option --random is used then port mapping will be randomized (kernel >= 2.6.22).
From "man iptables"
 
Old 05-20-2012, 06:57 PM   #3
Arvy
LQ Newbie
 
Registered: May 2012
Posts: 3

Original Poster
Rep: Reputation: Disabled
Thank you for your reply fukawi1.

Any combination that I made didnt work. I closed all ports and opened only the wanted ports, here is:

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:995
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:110
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:465
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:20
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:2100:2199
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:63306
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Note no rule for 3306, but there's a rule for 63306 that is the "alternative" port I'm trying to use to connect to MySQL. Since it's a "preroting" rule, it runs first, right?

Since 3306 is closed, I believe (not sure) that the rule is not working because 3306 is firewalled "after" the preroting. Probably the rule is right, but since 3306 is closed on bond1, it's "closing" 63306 as well. So, what I tryed to do is redirect bond1 63306 (public IP) to localhost 3306. In fact, I dont know if this is possible.

Any idea is appreciated.

Thank you.
 
Old 05-21-2012, 11:48 AM   #4
Arvy
LQ Newbie
 
Registered: May 2012
Posts: 3

Original Poster
Rep: Reputation: Disabled
Well, solved using XINETD:

http://www.schaeuffelhut.de/wordpress/?p=6

Thank you anyway.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
with iptables, how-to redirect outgoing mail from port 25 to port 587 thumbelina Linux - Networking 12 03-19-2012 08:26 AM
Port redirect with help of IPTABLES EgoX Linux - Networking 1 09-06-2010 02:45 AM
Iptables redirect ip and port adrigo Linux - Server 8 07-16-2010 02:30 PM
debian iptables squid - redirect port 80 to port 8080 on another machine nickleus Linux - Networking 1 08-17-2006 12:59 AM
Redirect port with iptables |DeJoTa| Linux - Networking 0 07-11-2003 01:31 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 07:52 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration