Skip to content
logo
Percona Product Documentation
Secure the network
Initializing search
    percona/pxc-docs
    percona/pxc-docs
    • Home
      • About Percona XtraDB Cluster
      • Percona XtraDB Cluster limitations
      • Understand version numbers
      • Quick start guide for Percona XtraDB Cluster
      • Install Percona XtraDB Cluster
      • Configure nodes for write-set replication
      • Bootstrap the first node
      • Add nodes to cluster
      • Verify replication
      • High availability
      • PXC strict mode
      • Online schema upgrade
      • Non-Blocking Operations (NBO) method for Online Scheme Upgrades (OSU)
      • Security basics
      • Secure the network
        • Firewall configuration
          • Use iptables
      • Encrypt PXC traffic
      • Enable AppArmor
      • Enable SELinux
      • State snapshot transfer
      • Percona XtraBackup SST configuration
      • Restart the cluster nodes
      • Cluster failover
      • Monitor the cluster
      • Certification in Percona XtraDB Cluster
      • Percona XtraDB Cluster threading model
      • Understand GCache and Record-Set cache
      • Perfomance Schema instrumentation
      • Data at Rest Encryption
      • Upgrade Percona XtraDB Cluster
      • Crash recovery
      • Configure Percona XtraDB Cluster on CentOS
      • Configure Percona XtraDB Cluster on Ubuntu
      • Set up Galera arbitrator
      • How to set up a three-node cluster on a single box
      • How to set up a three-node cluster in EC2 environment
      • Load balancing with HAProxy
      • Load balancing with ProxySQL
      • ProxySQL admin utilities
      • Setting up a testing environment with ProxySQL
      • Release notes index
      • Percona XtraDB Cluster 8.0.30-22.md (2022-12-28)
      • Percona XtraDB Cluster 8.0.29-21 (2022-09-12)
      • Percona XtraDB Cluster 8.0.28-19.1 (2022-07-19)
      • Percona XtraDB Cluster 8.0.27-18.1
      • Percona XtraDB Cluster 8.0.26-16.1
      • Percona XtraDB Cluster 8.0.25-15.1
      • Percona XtraDB Cluster 8.0.23-14.1
      • Percona XtraDB Cluster 8.0.22-13.1
      • Percona XtraDB Cluster 8.0.21-12.1
      • Percona XtraDB Cluster 8.0.20-11
      • Percona XtraDB Cluster 8.0.20-11.3
      • Percona XtraDB Cluster 8.0.20-11.2
      • Percona XtraDB Cluster 8.0.19-10
      • Percona XtraDB Cluster 8.0.18-9.3
      • Index of wsrep status variables
      • Index of wsrep system variables
      • Index of wsrep_provider options
      • Index of files created by PXC
      • Frequently asked questions
      • Glossary
      • Copyright and licensing information
      • Trademark policy

    • Firewall configuration
      • Use iptables

    Secure the network¶

    By default, anyone with access to your network can connect to any Percona XtraDB Cluster node either as a client or as another node joining the cluster. This could potentially let them query your data or get a complete copy of it.

    In general, it is a good idea to disable all remote connections to Percona XtraDB Cluster nodes. If you require clients or nodes from outside of your network to connect, you can set up a VPN (virtual private network) for this purpose.

    Firewall configuration¶

    A firewall can let you filter Percona XtraDB Cluster traffic based on the clients and nodes that you trust.

    By default, Percona XtraDB Cluster nodes use the following ports:

    • 3306 is used for MySQL client connections and SST (State Snapshot Transfer) via mysqldump.

    • 4444 is used for SST via Percona XtraBackup.

    • 4567 is used for write-set replication traffic (over TCP) and multicast replication (over TCP and UDP).

    • 4568 is used for IST (Incremental State Transfer).

    Ideally you want to make sure that these ports on each node are accessed only from trusted IP addresses. You can implement packet filtering using iptables, firewalld, pf, or any other firewall of your choice.

    Use iptables¶

    To restrict access to Percona XtraDB Cluster ports using iptables, you need to append new rules to the INPUT chain on the filter table. In the following example, the trusted range of IP addresses is 192.168.0.1/24. It is assumed that only Percona XtraDB Cluster nodes and clients will connect from these IPs. To enable packet filtering, run the commands as root on each Percona XtraDB Cluster node.

    # iptables --append INPUT --in-interface eth0 \
       --protocol tcp --match tcp --dport 3306 \
       --source 192.168.0.1/24 --jump ACCEPT
    # iptables --append INPUT --in-interface eth0 \
       --protocol tcp --match tcp --dport 4444 \
       --source 192.168.0.1/24 --jump ACCEPT
    # iptables --append INPUT --in-interface eth0 \
       --protocol tcp --match tcp --dport 4567 \
       --source 192.168.0.1/24 --jump ACCEPT
    # iptables --append INPUT --in-interface eth0 \
       --protocol tcp --match tcp --dport 4568 \
       --source 192.168.0.1/24 --jump ACCEPT
    # iptables --append INPUT --in-interface eth0 \
       --protocol udp --match udp --dport 4567 \
       --source 192.168.0.1/24 --jump ACCEPT
    

    Note

    The last one opens port 4567 for multicast replication over UDP.

    If the trusted IPs are not in sequence, you will need to run these commands for each address on each node. In this case, you can consider to open all ports between trusted hosts. This is a little bit less secure, but reduces the amount of commands. For example, if you have three Percona XtraDB Cluster nodes, you can run the following commands on each one:

    # iptables --append INPUT --protocol tcp \
        --source 64.57.102.34 --jump ACCEPT
    # iptables --append INPUT --protocol tcp \
        --source 193.166.3.20  --jump ACCEPT
    # iptables --append INPUT --protocol tcp \
        --source 193.125.4.10  --jump ACCEPT
    

    Running the previous commands will allow TCP connections from the IP addresses of the other Percona XtraDB Cluster nodes.

    Note

    The changes that you make in iptables are not persistent unless you save the packet filtering state:

    # service save iptables
    

    For distributions that use systemd, you need to save the current packet filtering rules to the path where iptables reads from when it starts. This path can vary by distribution, but it is usually in the /etc directory. For example:

    • /etc/sysconfig/iptables

    • /etc/iptables/iptables.rules

    Use iptables-save to update the file:

    # iptables-save > /etc/sysconfig/iptables
    

    Contact us

    For free technical help, visit the Percona Community Forum.

    To report bugs or submit feature requests, open a JIRA ticket.

    For paid support and managed or consulting services , contact Percona Sales.


    Last update: 2023-01-20
    Back to top
    Percona LLC and/or its affiliates, © 2023
    Made with Material for MkDocs