Want more timely Centmin Mod News Updates?
Become a Member

Allow MySQL Remote Connections

Discussion in 'Centmin Mod User Tutorials & Guides' started by frm, Dec 17, 2018.

  1. frm

    frm Member

    34
    4
    8
    Dec 17, 2018
    Ratings:
    +6
    Local Time:
    8:24 AM
    1.15.7
    10.3.11
    Centminmod runs CSF as a firewall and any command run to allow for opening outgoing ports, in this instance MySQL's default 3306, failed; it would remain open but automatically close after a certain duration, restart, or something else that affected it.


    As I am running a database off-site for redundancy and easier backups, with just a tad more compute power, I needed this option. Low and behold:

    Edit file:
    Find this line:
    Code:
    # Allow outgoing TCP ports
    TCP_OUT =
    And add 3306, to the beginning of the ports within the quotation marks so you can use Amazon RDS, Lightsail databases, or even a VPS setup with just MariaDB like I have.

    I don't know if this code is necessary to run afterward, but it did help to test as I continuously restarted it to ensure 3306 stayed open.
    I am new to CSF (this would've been a lot easier for me in firewalld to figure out) so maybe there's someone else that can give a better option.
     
  2. eva2000

    eva2000 Administrator Staff Member

    55,225
    12,253
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,831
    Local Time:
    9:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Yup this is correct you need to whitelist outgoing ports in CSF Firewall for remote mysql connections. You can also whitelist for specific destination IPs too setting them manually in /etc/csf.allow CSF - CSF Firewall info

    On remote mysql server running CSF Firewall, TCP connections inbound to port 3306 from IP 11.22.33.44
    Code (Text):
    tcp|in|d=3306|s=11.22.33.44
    

    On CSF Firewall server for TCP connections outbound to remote port 3306 to remote server at IP 11.22.33.44
    Code (Text):
    tcp|out|d=3306|d=11.22.33.44
    
     
  3. eva2000

    eva2000 Administrator Staff Member

    55,225
    12,253
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,831
    Local Time:
    9:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    FYI, this is also mentioned at CSF Firewall - CentminMod.com LEMP Nginx web stack for CentOS

     
  4. frm

    frm Member

    34
    4
    8
    Dec 17, 2018
    Ratings:
    +6
    Local Time:
    8:24 AM
    1.15.7
    10.3.11
    Which method would be best to use? Obviously, with the one you showed, you can include access to specific IP addresses rather than opening up the entire port for everyone; but, this can also be handled by the firewall rules at EC2, Vultr, etc., unless those aren't good firewalls to use over something like CSF locally.

    It seems like adding the port for all would be the easiest method as the firewall can be set in a web control panel to allow for the server's IP, as it can change often, as opposed to updating it in both places.
     
  5. frm

    frm Member

    34
    4
    8
    Dec 17, 2018
    Ratings:
    +6
    Local Time:
    8:24 AM
    1.15.7
    10.3.11
  6. eva2000

    eva2000 Administrator Staff Member

    55,225
    12,253
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,831
    Local Time:
    9:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Yeah lots of info all over :)
    Most Centmin Mod users would only have CSF Firewall as their protection and not firewalls at web host level, so it's best to do it from CSF Firewall level and whitelisting specific IP/ports is usually the best method to lock things down though if you use a cloud VPS provider which allows you to migrate to other VPSs, that IP address whitelisted may change depend on how the cloud VPS provider handles migrations - whether they allow you to keep existing IP or if you get a new IP address.