PXC loves firewalls (and System Admins loves iptables)

PXC loves firewalls (and System Admins loves iptables)

PREVIOUS POST
NEXT POST

PXC and setting firewalls using iptablesLet them stay together.

In the last YEARS, I have seen quite often that users, when installing a product such as PXC, instead of spending five minutes to understand what to do just run iptables -F  and save.

In short, they remove any rules for their firewall.

With this post, I want to show you how easy it can be to do the right thing instead of putting your server at risk. I’ll show you how a slightly more complex setup like PXC (compared to MySQL), can be easily achieved without risky shortcuts.

iptables is the utility used to manage the chains of rules used by the Linux kernel firewall, which is your basic security tool.
Linux comes with a wonderful firewall built into the kernel. As an administrator, you can configure this firewall with interfaces like ipchains  — which we are not going to cover — and iptables, which we shall talk about.

iptables is stateful, which means that the firewall can make decisions based on received packets. This means that I can, for instance, DROP a packet if it’s coming from bad-guy.com.

I can also create a set of rules that either will allow or reject the package, or that will redirect it to another rule. This potentially can create a very complex scenario.

However, for today and for this use case let’s keep it simple…  Looking at my own server:

That’s not too bad, my server is currently accepting only SSH and packets on port 3306. Please note that I used the -v option to see more information like IN/OUT and  that allows me to identify that actually row #3 is related to my loopback device, and as such it’s good to have it open.

The point is that if I try to run the PXC cluster with these settings it will fail, because the nodes will not be able to see each other.

A quite simple example when try to start the second node of the cluster:

Starting a new node will fail, given that the connectivity will not be established correctly. In the Percona documentation there is a notes section in which we mention that these ports must be open to have the cluster working correctly.:

  • 3306 For MySQL client connections and State Snapshot Transfer that use the mysqldump method.
  • 4567 For Galera Cluster replication traffic, multicast replication uses both UDP transport and TCP on this port.
  • 4568 For Incremental State Transfer.
  • 4444 For all other State Snapshot Transfer.

Of course, if you don’t know how to do it that could be a problem, but it is quite simple. Just use the following commands to add the needed rules:

Once you have done this check the layout again and you should have something like this:

Try to start the secondary node, and — tadaaa — the node will connect, will provision itself, and finally will start correctly.

All good? Well not really, you still need to perform a final step. We need to make our server accessible also for PMM monitoring agents.

You have PMM right? If you don’t take a look here and you will want it. 😀

Anyhow PMM will not work correctly with the rules I have, and the result will be an empty set of graphs when accessing the server statistics. Luckily, PMM has a very easy way to help you identify the issue:

What you want more? You have all the information to debug and build your new rules. I just need to open the ports 42000 42002 on my firewall:

Please note that we are handling the connectivity for PMM using a different range of IPs/subnet. This because it is best practice to have PXC nodes communicate to a dedicated network/subnet (physical and logical).

Run the test again:

Done …  I just repeat this on all my nodes and I will have set my firewall to handle the PXC related security.

Now that all my settings are working well I can save my firewall’s rules:

For Ubuntu you may need some additional steps as for (https://help.ubuntu.com/community/IptablesHowTo#Using_iptables-save.2Frestore_to_test_rules)

There are some nice tools to help you even more, if you are very lazy, like UFW and the graphical one, GUFW. Developed to ease iptables firewall configuration, ufw provides a user friendly way to create an IPv4 or IPv6 host-based firewall. By default UFW is disabled in Ubuntu. Given that ultimately they use iptables, and their use is widely covered in other resources such as the official Ubuntu documentation, I won’t cover these here.

Conclusion

Please don’t make the mistake of flushing/ignoring your firewall, when to make this right is just a matter of 5 commands. It’s easy enough to be done by everyone and it’s good enough to stop the basic security attacks.

Happy MySQL (and PXC) to everyone.

PREVIOUS POST
NEXT POST

Share this post

Leave a Reply