

Ask HN: Can someone help with Iptables and MySQL replication?  - ItsWinterHello

I have two machines.<p>Machine 1: Front-end&#x2F;Webserver (Nginx), Slave DB (IP example: slavedb.1.1.1)
Machine 2: Master DB (IP example: masterdb.1.1.1)<p>When iptables rules are removed, replication between master-slave (MySQL) works fine. I&#x27;ve setup the machines so they both have private IPs.<p>When I added some generic rules, replication breaks.<p>Below is the &#x27;generic&#x27; rules that I used.<p><pre><code>    *filter
    #  Allows all loopback (lo0) traffic and drop all traffic to 127&#x2F;8 that doesn&#x27;t use lo0
    -A INPUT -i lo -j ACCEPT
    -A INPUT ! -i lo -d 127.0.0.0&#x2F;8 -j REJECT
    #  Accepts all established inbound connections
    -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    #  Allows all outbound traffic
    #  You can modify this to only allow certain traffic
    -A OUTPUT -j ACCEPT
    # Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
    -A INPUT -p tcp --dport 80 -j ACCEPT
    -A INPUT -p tcp --dport 443 -j ACCEPT
    #  Allows SSH connections
    # THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE
    -A INPUT -p tcp -m state --state NEW --dport 30000 -j ACCEPT
    # Allow ping
    -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
    # log iptables denied calls
    -A INPUT -m limit --limit 5&#x2F;min -j LOG --log-prefix &quot;iptables denied: &quot; --log-level 7
    # Reject all other inbound - default deny unless explicitly allowed policy
    -A INPUT -j REJECT
    -A FORWARD -j REJECT
    COMMIT
</code></pre>
Can someone provide an example of an iptables ruleset that I would use? Would I use it on both machines or only one?<p>Thanks in advance or helping me out!
======
k3oni
Open port 3306 on both machines on your internal network, the one replication
is running over.

Edit: Port 3306 is the port mysql runs on and is the same port your slave is
using to connect to the master. Make sure you don't open it for the external
interface.

~~~
ItsWinterHello
Thanks. Would I add these two lines to the rules? Or something different?

    
    
        -A INPUT -i lo -p tcp --dport 3306 -j ACCEPT 
        -A OUTPUT -i lo -p tcp --sport 3306 -j ACCEPT

~~~
k3oni
Well in your firewall rules i don't see any OUTPUT drop/reject so the
following should be enough on the master if your master is actually listening
on lo and port 3306(you can see this running for example(in linux): netstat
-tnlp ):

-A INPUT -i lo -p tcp --dport 3306 -j ACCEPT

~~~
ItsWinterHello
You're the man! Thank you!

~~~
k3oni
You're welcome.

