[ILUG] MySQL V4 with SSL has problems with iptables

[paul at clubi.ie]

On Wed, 15 Oct 2008, Andrew McGill wrote:

> It sounds as if you have rules like this:
>
>    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>    iptables -A INPUT -p tcp --dport 3306 -m state --state NEW -j ACCEPT
>    iptables -A INPUT -j DROP
>
> This would mean that traffic which is not known by the state table 
> will get ignored.  This means that the only way the client will 
> know that its connection to the server has gone bad is that it will 
> time out.  (15 minutes is not such a bad timeout if you are going 
> between continents.)

> You can change the ACCEPT rule to accept *any* traffic to port 3306,
> regardless of the state the firewall thinks the connection is in.  That will
> give the kernel a chance to say "your connection has gone away" (or not):
>
>    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>    iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
>    iptables -A INPUT -j DROP

Even better, just get rid of the state module entirely for TCP and 
just filter out packets that have SYN set:

  iptables -A ... -p !tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
  iptables -A ... -p tcp --dport 3306 -j ACCEPT
  <insert other -p tcp --dport .... -j ACCEPT rules here>
  iptables -A ... -p tcp --syn -j DROP

Hey presto, much more reliable firewalling of TCP. Using stateful 
firewalling for TCP is just brain-dead, as a rule-of-thumb.

(Admins of networks with ancient, Win3.11/Win95 era OSes may disagree 
- such admins are few these days..).

regards,
-- 
Paul Jakma	paul at clubi.ie	paul at jakma.org	Key ID: 64A2FF6A
Fortune:
While we are sleeping, two-thirds of the world is plotting to do us in.
 		-- Dean Rusk