iptables how to close mysql port 3306

Administrator TOOTAI admin at tootai.net
Tue Apr 4 08:32:44 UTC 2006 

Andrew Kelly wrote:
> On Tue, 2006-04-04 at 01:28 +0200, Maxim Vexler wrote:
>   
>> On 4/4/06, Ted Potter <tpotter at techmarin.com> wrote:
>>     
>>> On 4/3/06, Ted Potter <tpotter at techmarin.com> wrote:
>>>       
>>>> On 4/3/06, A. Khattri <ajai at bway.net> wrote:
>>>>         
>>>>> On Mon, 3 Apr 2006, Ted Potter wrote:
>>>>>
>>>>>           
>>>>>> To make it fun, no I can not install anything. No there is not gui.
>>>>>> Everthing I do must be from
>>>>>> the command line on the box. Bout the only blessing is I can ssh in to the
>>>>>> box as root.
>>>>>>
>>>>>> Thanks for any who care to play and share.
>>>>>>
>>>>>> PS
>>>>>>
>>>>>> I tried the following:
>>>>>>
>>>>>> iptables -A INPUT -p tcp -d 3306 -j REJECT
>>>>>>
>>>>>> then I see
>>>>>>
>>>>>> iptables --list
>>>>>> REJECT tcp -- anywhere 0.0.12.234 reject-wthi icmp-port-unreachable
>>>>>>
>>>>>> and I can still log on to the server remotely.
>>>>>>             
>>>>> Much easier to edit /etc/my.cnf and tell MySQL to not use networking
>>>>> (skip-networking) or tell it to listen on 127.0.0.1 (bind-address).
>>>>>           
>>>> Thanks for the tip, however I can find no such file on the server. Darn it
>>>> that would of been a sweet fix.
>>>>
>>>> Thank you !
>>>>
>>>> Ted
>>>>         
>>> ok so I tried this
>>> # iptables -A INPUT -p tcp  -dports 3306 -j DROP
>>> Bad argument 3306
>>> #
>>> huh ? the manual states -dports is an valid alias for --destination-ports
>>>
>>> OK so
>>> [root at d7148 bin]# iptables -A INPUT -p tcp  -dports 3306 -j DROP
>>> Bad argument `3306'
>>> Try `iptables -h' or 'iptables --help' for more information.
>>> [root at d7148 bin]# iptables -A INPUT -p tcp  --dports 3306 -j DROP
>>> iptables v1.2.8: Unknown arg `--dports'
>>> Try `iptables -h' or 'iptables --help' for more information.
>>> [root at d7148 bin]#
>>> [root at d7148 bin]# iptables -A INPUT -p tcp  --destination-ports  3306 -j DROP
>>> iptables v1.2.8: Unknown arg `--destination-ports'
>>> Try `iptables -h' or 'iptables --help' for more information.
>>> [root at d7148 bin]# iptables -A INPUT -p tcp  -destination-ports  3306 -j DROP
>>> Bad argument `3306'
>>> Try `iptables -h' or 'iptables --help' for more information.
>>>
>>> Any other ideas ? - for now I am going to find a cli interface that might help
>>> get this done.
>>>
>>>       
>> For tcp it [-dport] && [--destination-port], that is no ('s) at the end.
>> Other then that the filter looks OK.
>>     
>
> No, no, dports and destination-ports were correct. The problem is that
> a double hyphen is required and appears to have been forgotten.
>
> 	--dports and NOT -dports
>   
Hmmh, Debian SARGE:

# Accept http from our Network's
    $IPTABLES -A INPUT -i ! $EXTERNAL_DEVICE    -p TCP  --dport 80   -j 
ACCEPT
-- 
Daniel

More information about the Redhat-install-list mailing list