1

I have a linux box on my home network, and I want to remotely access mysql on this machine from my home network without opening it up to the world. You apparently can't do with mysql because the bind address and grants don't allow wildcards in IP addresses (correct me if I'm wrong).

So I am trying to configure ufw to allow access from (only) my home network. From what I've read, you can't have default deny incoming and just add an exception to that. So I have tried to configure ufw like so (status output):

Status: active

To                         Action      From
--                         ------      ----
1:19/tcp                   DENY        Anywhere                  
1:19/udp                   DENY        Anywhere                  
22:52/udp                  DENY        Anywhere                  
22:52/tcp                  DENY        Anywhere                  
54:79/tcp                  DENY        Anywhere                  
54:79/udp                  DENY        Anywhere                  
81:122/udp                 DENY        Anywhere                  
81:122/tcp                 DENY        Anywhere                  
124:442/tcp                DENY        Anywhere                  
124:442/udp                DENY        Anywhere                  
444:65535/udp              DENY        Anywhere                  
444:65535/tcp              DENY        Anywhere                  
Anywhere                   ALLOW       192.168.1.0/24 3306/tcp   
Anywhere                   ALLOW       192.168.1.0/24            
1:19/tcp (v6)              DENY        Anywhere (v6)             
1:19/udp (v6)              DENY        Anywhere (v6)             
22:52/udp (v6)             DENY        Anywhere (v6)             
22:52/tcp (v6)             DENY        Anywhere (v6)             
54:79/tcp (v6)             DENY        Anywhere (v6)             
54:79/udp (v6)             DENY        Anywhere (v6)             
81:122/udp (v6)            DENY        Anywhere (v6)             
81:122/tcp (v6)            DENY        Anywhere (v6)             
124:442/tcp (v6)           DENY        Anywhere (v6)             
124:442/udp (v6)           DENY        Anywhere (v6)             
444:65535/udp (v6)         DENY        Anywhere (v6)             
444:65535/tcp (v6)         DENY        Anywhere (v6)

The first allow was created with Gufw, but it didn't work, so I tried adding the second one from the command line without any port specs. Anyway, neither one works to permit remote mysql access (which works with ufw diabled, btw). Can someone tell me how to fix this?

Update/Solution:

Based on a post here and the ufw docs I got it to work. I got rid of all the rules I had and used the ufw command line client:

sudo ufw default deny
sudo ufw allow http
sudo ufw allow https
sudo ufw allow from 192.168.1.0/24 to any port 3306
Steve
  • 293
  • 1
  • 2
  • 11
  • Are you sure remote address is `192.168.1.0`? – Xaqron May 24 '17 at 23:37
  • 1
    I'm not sure what format your status table is in (mine looks different), but it kind of looks like you managed to set 3306 as the source port rather than the destination port. I don't use GUFW but AFAIK a suitable ufw rule would be `ufw allow from 192.168.1.0/24 to any port 3306 proto tcp` – steeldriver May 24 '17 at 23:43
  • See https://stackoverflow.com/questions/15663001/remote-connections-mysql-ubuntu or https://askubuntu.com/questions/751679/allow-remote-mysql-access-through-webmin-or-shell or http://www.configserverfirewall.com/ubuntu-linux/enable-mysql-remote-access-ubuntu/ – heynnema May 25 '17 at 00:55
  • @Xaqron, no its not, I'm trying to enable the subnet. steeldriver & heynnema I will check those options in the morning and report back. Thanks! – Steve May 25 '17 at 01:14
  • @steeldriver, I deleted those two allow rules I had and created yours it didn't work :-( It seems like it should have. According to the docs that is the right way to permit access on a given port. – Steve May 25 '17 at 20:45
  • I looked at /var/log/ufw.log It's got some entries from yesterday that I don't know how to interpret (but none from today): May 24 15:33:21 steve-MS-7253 kernel: [ 1663.883335] [UFW BLOCK] IN=enp0s18 OUT= MAC=01:00:5e:00:00:01:1c:b7:2c:d9:77:40:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2 May 24 15:33:24 steve-MS-7253 kernel: [ 1666.923262] [UFW BLOCK] IN=enp0s18 OUT= MAC=01:00:5e:00:00:fb:d8:cb:8a:98:8e:1b:08:00 SRC=192.168.1.80 DST=224.0.0.251 LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=19235 PROTO=2 The MAC addressed shown don't match either of the machines. – Steve May 25 '17 at 20:46
  • Anything with `DST=224.0.0.1` is likely just normal multicast chatter - see [Multicast address](https://en.wikipedia.org/wiki/Multicast_address). BTW how exactly are you testing this? Are you sure your mysql service is listening on 3306? – steeldriver May 26 '17 at 00:38
  • Yes, if I disable ufw firewall it connects. – Steve May 26 '17 at 00:57
  • Here's what my gufw looks like for MySQL... http://imgur.com/a/iy5yZ – heynnema May 26 '17 at 01:26
  • What version of gufw are you using? I'm using 16.04 and the rules it creates don't look like that. Also this would allow anyone to access 3306 and I don't know what other ports you're blocking. I'm trying to block all except http, etc. I'm not sure how to specify the (V6) entries. The docs don't say. That might be what's keeping my rules from working. – Steve May 26 '17 at 12:56
  • I found the solution and updated the original post. Thanks for the input! – Steve May 26 '17 at 13:24

0 Answers0