Martin's picture

Hello

I have a little Problem with my LAMP installation.

I want to open the MYSQL port 3306 to work from outside the server.

I started webmin and went to network -> firewall. There where the ports that are opened listed.

To do the right things, I copied a rule (e.g. for port 80) and changed the port number with 3306.

Then I sent the information to the firewall.

I switched to the Terminal and checked the information with iptables -L

******************** Output  ***************

/# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:mysql
ACCEPT     udp  --  anywhere             anywhere             udp dpt:mysql
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:12320
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:12321
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:12322

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

**************** Output End *****************

If I now scan the ports via a Advanced Prot Scanner, I get this information:

**************** SCAN *****************

HTTP

Port 22 (TCP)

Port 25 (TCP)

Port 80 (TCP)

Port 110 (TCP)

Port 119 (TCP)

Port 143 (TCP)

Port 443 (TCP)

Port 465 (TCP)

Port 563 (TCP)

Port 587 (TCP)

Port 993 (TCP)

Port 995 (TCP)

Port 12320 (TCP)

Port 12321 (TCP)

Port 12322 (TCP)

**************** SCAN END *****************

I am surprised, there are so many more ports open that i cant see in the iptables information.

The port 3306 is closed .

 

*************  Information: ************************

Webmin: 1.881

Linux: Debian 9

Turnkey LAM STACK hosted as Container in PROXMOX

***********************************************

 

So what is my problem? Where do I go wrong?

Forum: 
Jeremy Davis's picture

First up: Hi there Martin! :)

Next, whilst the firewall is pre-configured by default, it's not enabled by default. So unless you have enabled it (which is generally a good idea) then that's likely not your issue. TBH, I'm actually not 100% sure that the internal firewall would work within a container anyway. That is because the firewall is managed directly by the kernel and LXC containers don't have their own kernel; they leverage the hosts kernel.

Regardless, even if it does work and you have enabled it, for the purposes of troubleshooting, it's not a bad idea to temporarily disable it. It'll then be much easier to isolate why you can't connect (or at least you can rule out the firewall). I'd be interested to hear if you have any luck enabling the local firewall. If that doesn't work, please consider configuring the host firewall.

Regardless of that, I suspect that the reason why you can't connect is because of our default config. Other than the standalone MySQL/MariaDB appliance, we lock MySQL (technically MariaDB) to localhost (i.e. only accessable from other services running on the server), and there are no users configured to allow access via anything but localhost.

To adjust that, please see the docs for info on how to change that config. You may be able to do that via Webmin too, although the instructions are explicitly for commandline (e.g. local console, or SSH connection). Please make sure that you use a good password. Also, to maximise security, if possible it's best to lock it to a specific IP address (or FQDN - fully qualified domain name). Obviously that requires that the origin of the remote connection would need to be on a static IP (or have a domain set). Please note that the docs sow how to allow connections from anywhere, if you want to lock that down, replace the '%' with your relevant IP (or domain).

Hopefully that gets you going! :) Please post back if you have any further questions.

Also, as an added note, looking at the ports that the scan you ran was reporting, my suspicion is that perhaps they're ports that the host is listening on, rather than the container (and only the ones that the container is listening on should respond). Or perhaps you've installed some additional services which are open. Or possibly the scanning tool you is reporting false positives? On a LAMP appliance, the only ports that should be open by default are 22 (SSH), 80 (HTTP), 443 (HTTPS), 12320 (Webshell via HTTPS), 12321 (Webmin via HTTPS) and 12322 (Adminer via HTTPS). Ports 25 (SMTP) and 3306 (MySQL/MariaDB) are listening, but should be locked to localhost (i.e. not open to the world). FWIW I just double checked a local LAMP appliance that I have running on Proxmox and it's only listening on ports 22, 80 & 443 (I have disabled Webshell, Webmin and Adminer).

To check internally which ports are open can be shown via the netstat commandline tool, explictly 'netstat -tlnp'. E.g. on my LAMP:

netstat -tlnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      563/mysqld          
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      278/apache2 
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      246/sshd            
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      428/master          
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      278/apache2
tcp6       0      0 :::22                   :::*                    LISTEN      246/sshd 

And to check from outside, the tool to use is netcat ('nc' on Linux - I'm pretty sure that Windows also has netcat, but not sure what the exact command is). E.g.:

nc -z -v 192.168.1.101 1-12345 2>&1 | grep succeeded

Note I redirected stderr ('2') to stdout ('1') - the default netcat output is to stderr. I also filtered the results via grep (to only capture the open ports - otherwise it reports success/failure for every port it scans)

Connection to 192.168.1.101 22 port [tcp/ssh] succeeded!
Connection to 192.168.1.101 80 port [tcp/http] succeeded!
Connection to 192.168.1.101 443 port [tcp/https] succeeded!

Add new comment