navid_a
December 31, 2020, 3:32pm
1
Hi Fellers
I have a weird situation at firewall.
I have been deploy a mariadb container on server.
$ docker ps
d65e7fd9a65d | mariadb:latest | "docker-entrypoint.s…" | 3 months ago | Up 6 weeks | 0.0.0.0:3306->3306/tcp | mysql
As shown it is reachable from outside of sever.
$ nmap -Pn -p3000-4000 [SERVER IP ADDRESS]
PORT STATE SERVICE
3306/tcp open mysql
but when i check yast firewall, there is not such opened port in there but my application can connect to db with server ip address and port 3306.
$ firewall-cmd --list-services
ssh dhcpv6-client http
I want to restrict access to database for just one ip address can access to it.
Can you explain why firewall could not see this port?
I am not sure I understand the question. There are multiple ways to allow port; show “iptables -L -n -v” output that will list current rules as used by kernel.
navid_a
December 31, 2020, 7:53pm
3
Sorry because I didn’t explain very well.
Apparently this port was opened without any firewall config and every one on Internet can see it.
The result is so long, so I pasted just important parts.
Two parts got my attention:
$ iptables -n -L -v
.....
Chain DOCKER (4 references)
pkts bytes target prot opt in out source destination
10 544 ACCEPT tcp -- !br-97da32208e84 br-97da32208e84 0.0.0.0/0 172.20.0.3 tcp dpt:3306
6 260 ACCEPT tcp -- !br-97da32208e84 br-97da32208e84 0.0.0.0/0 172.20.0.2 tcp dpt:443
335 19756 ACCEPT tcp -- !br-97da32208e84 br-97da32208e84 0.0.0.0/0 172.20.0.2 tcp dpt:80
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out
.....
Chain IN_public_allow (1 references)
pkts bytes target prot opt in out source destination
2988 178K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate NEW
......
My questions are:
Isn’t the firewalld only responsible for the all ports , also docker services ports?
I want to set a rule on port 3306 that just a my application that served on another server could connect to db.
navid_a:
Isn’t the firewalld only responsible for the all ports , also docker services ports?
No. firewalld is just frontend to kernel. It interprets its configuration and translates it into kernel iptables configuration. Any other program can independently change current kernel iptables configuration. Of course, unless they coordinate results are really unpredictable, but there is not much that can be done here (nftables may bring some improvements).
I want to set a rule on port 3306 that just a my application that served on another server could connect to db.