iptables how to close mysql port 3306

Maxim Vexler hq4ever at gmail.com
Mon Apr 3 23:28:30 UTC 2006 

On 4/4/06, Ted Potter <tpotter at techmarin.com> wrote:
> On 4/3/06, Ted Potter <tpotter at techmarin.com> wrote:
> > On 4/3/06, A. Khattri <ajai at bway.net> wrote:
> > > On Mon, 3 Apr 2006, Ted Potter wrote:
> > >
> > > > To make it fun, no I can not install anything. No there is not gui.
> > > > Everthing I do must be from
> > > > the command line on the box. Bout the only blessing is I can ssh in to the
> > > > box as root.
> > > >
> > > > Thanks for any who care to play and share.
> > > >
> > > > PS
> > > >
> > > > I tried the following:
> > > >
> > > > iptables -A INPUT -p tcp -d 3306 -j REJECT
> > > >
> > > > then I see
> > > >
> > > > iptables --list
> > > > REJECT tcp -- anywhere 0.0.12.234 reject-wthi icmp-port-unreachable
> > > >
> > > > and I can still log on to the server remotely.
> > >
> > > Much easier to edit /etc/my.cnf and tell MySQL to not use networking
> > > (skip-networking) or tell it to listen on 127.0.0.1 (bind-address).
> >
> >
> > Thanks for the tip, however I can find no such file on the server. Darn it
> > that would of been a sweet fix.
> >
> > Thank you !
> >
> > Ted
>
> ok so I tried this
> # iptables -A INPUT -p tcp  -dports 3306 -j DROP
> Bad argument 3306
> #
> huh ? the manual states -dports is an valid alias for --destination-ports
>
> OK so
> [root at d7148 bin]# iptables -A INPUT -p tcp  -dports 3306 -j DROP
> Bad argument `3306'
> Try `iptables -h' or 'iptables --help' for more information.
> [root at d7148 bin]# iptables -A INPUT -p tcp  --dports 3306 -j DROP
> iptables v1.2.8: Unknown arg `--dports'
> Try `iptables -h' or 'iptables --help' for more information.
> [root at d7148 bin]#
> [root at d7148 bin]# iptables -A INPUT -p tcp  --destination-ports  3306 -j DROP
> iptables v1.2.8: Unknown arg `--destination-ports'
> Try `iptables -h' or 'iptables --help' for more information.
> [root at d7148 bin]# iptables -A INPUT -p tcp  -destination-ports  3306 -j DROP
> Bad argument `3306'
> Try `iptables -h' or 'iptables --help' for more information.
>
> Any other ideas ? - for now I am going to find a cli interface that might help
> get this done.
>

For tcp it [-dport] && [--destination-port], that is no ('s) at the end.
Other then that the filter looks OK.


HTH


--
Cheers,
Maxim Vexler (hq4ever).

Do u GNU ?

More information about the Redhat-install-list mailing list