I have Node JS on my server, but it does not work. I think it's a problem of wearing.
With the following command :
# curl -sL https://deb.nodesource.com/setup_8.x | sudo -E bash -
# apt-get update
# apt-get install nodejs
That's all, I'm not doing anything else.
I installed drupal nodejs :
# cd /home/www.mydomaine.com/public_html
# npm install drupal-node.js
# npm install pm2 -g
Here is the configuration of my server :
<IfModule mod_fastcgi.c>
AddHandler php7-fcgi-www.mydomaine.com .php
Action php7-fcgi-www.mydomaine.com /php7-fcgi-www.mydomaine.com
Alias /php7-fcgi-www.mydomaine.com /usr/lib/cgi-bin/php7-fcgi-www.mydomaine.com
FastCgiExternalServer /usr/lib/cgi-bin/php7-fcgi-www.mydomaine.com -socket /run/php/php7.1-fpm.www.mydomaine.com.sock -idle-timeout 120 -pass-header Authorization
<Directory "/usr/lib/cgi-bin">
Require all granted
</Directory>
</IfModule>
<VirtualHost 138.74.184.65:80 [2001:21d0:0305:2100:0000:0000:0000:4741]:80>
ServerAdmin contact#mydomaine.com
ServerName mydomaine.com
ServerAlias www.mydomaine.com
RewriteEngine on
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost 138.74.184.65:443 [2001:21d0:0305:2100:0000:0000:0000:4741]:443>
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/www.mydomaine.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.mydomaine.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/www.mydomaine.com/chain.pem
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCompression off
SSLOptions +StrictRequire
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
Header always set X-Content-Type-Options "nosniff"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Download-Options "noopen"
Header always set X-Permitted-Cross-Domain-Policies "none"
Header always set Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'"
Header set Set-Cookie HttpOnly;Secure
ServerAdmin contact#mydomaine.com
ServerName mydomaine.com
ServerAlias www.mydomaine.com
DocumentRoot /var/www/www.mydomaine.com/public_html/web/
<Directory /var/www/www.mydomaine.com/public_html/web>
Options FollowSymLinks MultiViews
AllowOverride All
Require all granted
</Directory>
<IfModule mod_fastcgi.c>
<FilesMatch ".+\.ph(p[345]?|t|tml)$">
SetHandler php7-fcgi-www.mydomaine.com
</FilesMatch>
</IfModule>
ErrorLog /var/www/www.mydomaine.com/logs/error.log
CustomLog /var/www/www.mydomaine.com/logs/access.log combined
</VirtualHost>
</IfModule>
My site is in :
/home/www.mydomaine.com/public_html/web
Here is the NodeJS configuration for Drupal nodejs.config.js :
settings = {
scheme: 'http',
port: 8080,
host: 'localhost',
resource: '/socket.io',
serviceKey: 'hgfjkliutfh',
backend: {
port: 443,
host: 'www.mydomaine.com',
scheme: 'https',
basePath: '/web',
messagePath: '/nodejs/message'
},
debug: true,
sslKeyPath: '/etc/letsencrypt/live/www.mydomaine.com/privkey.pem',
sslCertPath: '/etc/letsencrypt/live/www.mydomaine.com/cert.pem',
sslCAPath: '/etc/letsencrypt/live/www.mydomaine.com/chain.pem',
baseAuthPath: '/nodejs/',
extensions: [],
clientsCanWriteToChannels: false,
clientsCanWriteToClients: false,
transports: ['websocket', 'polling'],
jsMinification: true,
jsEtag: true,
logLevel: 1
};
enter image description here
Here is the contents of my iptables :
#!/bin/sh
# Réinitialise les règles
iptables -t filter -F
iptables -t filter -X
# Bloque tout le trafic
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP
# Autorise les connexions déjà établies et localhost
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT
# ICMP (Ping)
iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -A OUTPUT -p icmp -j ACCEPT
# SSH
iptables -t filter -A INPUT -p tcp --dport 4829 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 4829 -j ACCEPT
# DNS
iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT
# NTP (horloge du serveur)
iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT
# NODE JS
iptables -t filter -A OUTPUT -p tcp --dport 8080 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 8080 -j ACCEPT
# HTTP
iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
# HTTP Caldav
iptables -t filter -A OUTPUT -p tcp --dport 8008 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 8008 -j ACCEPT
# HTTPS
iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
# HTTPS Caldav
iptables -t filter -A OUTPUT -p tcp --dport 8008 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 8443 -j ACCEPT
# FTP
iptables -t filter -A OUTPUT -p tcp --dport 20:21 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 20:21 -j ACCEPT
# Mail SMTP
iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 587 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 587 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 465 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 465 -j ACCEPT
# Mail POP3
iptables -t filter -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 995 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 995 -j ACCEPT
# Mail IMAP
iptables -t filter -A INPUT -p tcp --dport 993 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 993 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 143 -j ACCEPT
# Anti Flood / Deni de service / scan de port
iptables -A FORWARD -p tcp --syn -m limit --limit 1/second -j ACCEPT
iptables -A FORWARD -p udp -m limit --limit 1/second -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/second -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
Here is the contents of my /etc/hosts
127.0.0.1 localhost
138.74.184.65 vps000000.ovh.net vps000000
2001:21d0:0305:2100:0000:0000:0000:4741 vps000000.ovh.net vps000000
127.0.1.1 myname.fr
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
Here is the contents of my /etc/apache2/ports.conf
# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf
Listen 80
<IfModule ssl_module>
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
Result of the command netstat -ntpl
root#vps000000:~# netstat -ntpl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 2476/master
tcp 0 0 0.0.0.0:4829 0.0.0.0:* LISTEN 1423/sshd
tcp 0 0 127.0.0.1:10023 0.0.0.0:* LISTEN 1690/postgrey.pid -
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 1452/mysqld
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN 24716/drupal
tcp6 0 0 :::25 :::* LISTEN 2476/master
tcp6 0 0 :::443 :::* LISTEN 24939/apache2
tcp6 0 0 :::4829 :::* LISTEN 1423/sshd
tcp6 0 0 :::7134 :::* LISTEN 1913/java
tcp6 0 0 :::80 :::* LISTEN 24939/apache2
Drupal displays this message :
The Node.js server was successfully reached.
On my site the following error is displayed in the console :
Failed to load for element whose source is «
http://localhost:8080/socket.io/socket.io.js ».
And :
Refused to load the script
'http://localhost:8080/socket.io/socket.io.js' because it violates the
following Content Security Policy directive: "default-src https: data:
'unsafe-inline' 'unsafe-eval'". Note that 'script-src' was not
explicitly set, so 'default-src' is used as a fallback.
In the terminal I have :
root#vps000000:/home/www.mydomaine.com/public_html/node_modules/drupal-node.js# node app.js
Started http server.
[2018/03/15 16:44:02] Route callback: checkServiceKey
[2018/03/15 16:44:02] Route callback: healthCheck
UPDATE
I have updated my configuration as below and drupal seems to have found /socket.io/socket.io.js I started to despair.
Here is the NodeJS configuration for Drupal nodejs.config.js :
settings = {
scheme: 'http',
port: 8080,
host: 'www.s1biose.com',
resource: '/socket.io',
serviceKey: 'hgfjkliutfh',
backend: {
port: 443,
host: 'www.s1biose.com',
scheme: 'https',
basePath: '/web',
messagePath: '/nodejs/message'
},
debug: true,
sslKeyPath: '/etc/letsencrypt/live/www.s1biose.com/privkey.pem',
sslCertPath: '/etc/letsencrypt/live/www.s1biose.com/cert.pem',
sslCAPath: '/etc/letsencrypt/live/www.s1biose.com/chain.pem',
baseAuthPath: '/nodejs/',
extensions: [],
clientsCanWriteToChannels: false,
clientsCanWriteToClients: false,
transports: ['websocket', 'polling'],
jsMinification: true,
jsEtag: true,
logLevel: 1
};
On Drupal my configuration is as follows :
enter image description here
Now the console displays the following message :
Refused to connect to 'wss://www.s1biose.com:8080/socket.io/?EIO=3&transport=websocket&sid=8T6_V7vjKg48n731AAAJ' because it violates the following Content Security Policy directive: "default-src https: data: 'unsafe-inline' 'unsafe-eval'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.
n.doOpen # universalModuleDefinition:3
What does this message mean ? Am I on the right track ? On my previous configuration console indicated that it does not find the file /socket.io/socket.io.js is that sque I progress ?
What is this "wss" instead of "https" is this normal ?
On Apache you configure ports in /etc/apache2/ports.config.
In your ports.config your server is listening on port 80, however on your node settings file, you’re pointing to port 8080 and missing the backend port 80.
See step 5:
https://www.drupal.org/project/drupalchat/issues/1415624
And also, your firewall (iptables) rules are reflecting on port 8080.
So, you need to match up port 80 or 8080.
Then try to access your site and check the Apache logs ..../ logs/Apache/access.log and
....../error.log
Besides, your host in in Apache and other settings files don’t match up localhost or 'www.mydomaine.com'??
Furthermore, your /etc/hosts doesn’t know about 'www.mydomaine.com' thus not reachable in your machine as it’s not in DNS.
In /etc/hosts add
127.0.0.1 mydomaine.com
Updated
Also, the refused message indicates that you need to allow .js files in your content security policy in your security.conf file or .htaccess file on shared host example:
content="default-src 'self' https:// example.com/js/"
See this example for background on the topic:
https://www.sitepoint.com/improving-web-security-with-the-content-security-policy/
**update new **
Based on your newest comments and error it’s clear that 1) content policy isn’t changed in Apache config(see above details) and 2)
In your nodejs config file there is mismatch between https and backend of https(443 port). First, try to get http working and then move to ssl. 3) use real DNS than localhost.
Try this changes (have ** don’t add the *)
settings = {
scheme: 'http',
port: 8080,
host: 'www.s1biose.com',
resource: '/socket.io',
serviceKey: 'hgfjkliutfh',
backend: {
port: **80**,
host: 'www.s1biose.com',
scheme: '**http**',
basePath: '/web',
messagePath: '/nodejs/message'
Related
I'm new to iptables and Linux-firewall in general. Can somebody help me with it?
I want to write a table using iptables that will log outgoing TCP connections to a specific IP address, except these that go through port 80 (HTTP).
Her is what I have so far:
iptables -N LOGGING
iptables -A OUTPUT -j LOGGING
iptables -A LOGGING -p tcp -m tcp --dport 80 -j DROP
iptables -A LOGGING -p tcp -m tcp -d 149.20.4.69 -j LOG --log-prefix "My logging: " --log-level 4
Here is my previous try. This should log all outgoing connections to the chosen IP but I don't know how to filter out port 80 (HTTP).
iptables -A OUTPUT -p tcp -s 149.20.4.69 -j LOG —log-prefix 'OUTPUT TCP: ' —log-level 4
You could just use a not condition to exclude port 80
# Log TCP traffic to x.x.x.x for all destination ports except 80
iptables -A OUTPUT -p tcp -d x.x.x.x ! --dport 80 -j LOG
I'm trying to create a Node server with express. I did the following:
npm init
npm i express
and copied this sample code from express:
const express = require('express')
const app = express()
app.get('/', function (req, res) {
res.send('Hello World!')
})
app.listen(80, function () {
console.log('Example app listening on port 80!')
})
On localhost, that works. On my VPS from OVH, I got this issue that I solved with:
setcap 'cap_net_bind_service=+ep' $(which node)
I also have the following Firewall configuration:
# Vider les tables actuelles
iptables -t filter -F
# Vider les règles personnelles
iptables -t filter -X
# Interdire toute connexion entrante et sortante
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP
# ---
# Ne pas casser les connexions etablies
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Autoriser loopback
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT
# ICMP (Ping)
iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -A OUTPUT -p icmp -j ACCEPT
# ---
# SSH In
iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
# SSH Out
iptables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT
# DNS In/Out
iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT
# NTP Out
iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT
# HTTP + HTTPS Out
iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT
# HTTP + HTTPS In
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
# FTP Out
iptables -t filter -A OUTPUT -p tcp --dport 20:21 -j ACCEPT
# FTP In
modprobe ip_conntrack_ftp # ligne facultative avec les serveurs OVH
iptables -t filter -A INPUT -p tcp --dport 20:21 -j ACCEPT
iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
I guess that my express code is ok. But when I try to make a request to my website, I get no answer and no trace of it on the server, even when using the direct IP of the server.
But netstat -tulpn | grep LISTEN tells me that Node is listening on port 80...
If I do everything on port 3000, everything works fine...
I have Node version 12.11.1.
I have absolutely no clue what to do next to understand the problem...
Port 80 is the default port for HTTP requests, therefore when trying to access a website on port 80 you may be having a conflicting issue given that port may already be in use.
There are numerous reason not to run a web server on port 80. One of these being that if your node process is compromised it would have access to run sudo commands on your server. Generally, you shouldn't be running anything as root on port 80, however using a reverse proxy and nginx can utilise port 80 given they have the correct start up code to bind to the port using downgraded permissions.
If you're creating a demo application, stay away from running the express server on either port 80 or port 443 in order to maintain best practices. Port 3000 would be fine to use and should be ok for everything.
Not sure where you found the sample code, but express documentation recommends using port 3000 in the hello world example.
https://expressjs.com/en/starter/hello-world.html
I bought a domain on GoDaddy but developed the website using Node.js. So, I bought a VPS on VPSGet and deployed the server. I managed to link the domain name to the VPS IP address. However, since my node.js application is running a particular port number I needed to do port forwarding so that www.domain-name.com will redirect to the process and port on the VPS. I tried to configure my firewall as follows
*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 7497
COMMIT
*filter
# Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
# Accept all established inbounds connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow all outbounds traffic
-A OUTPUT -j ACCEPT
# Allow HTTP and HTTPS connections from anywhere. Here, we use normal ports for http and ssl
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
# Allow http connections to node.js app
-A INPUT -p tcp --dport 7497 -j ACCEPT
-A INPUT -p tcp --dport 7525 -j ACCEPT
-A INPUT -p tcp --dport 2368 -j ACCEPT
# Allow forwarding to port 7497
-A FORWARD -p tcp -m tcp --dport 7497 -j ACCEPT
# Allow ports for testing
-A INPUT -p tcp --dport 8080:8099 -j ACCEPT
# Allow ports for mobile shell
-A INPUT -p tcp --dport 60000:61000 -j ACCEPT
# Allow ssh connections
-A INPUT -p tcp -m state --state NEW --dport 7112 -j ACCEPT
# Allow Ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied:" --log-level 7
# Reject all other outbounds
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
However, the redirection is not working. Could someone tell me what I am doing wrong? Please note that I am running a Ubuntu 12.04 on the VPS.
Thanks,
José
Have you tried to create the support request with detailed explanation to vpsget.com ?
Regarding to the wiki
http://wiki.vpsget.com/index.php/Forward_(redirect/nat)_traffic_with_iptables
you should use venet0 instead eth0
i have to configure my server to redirect from 80 and 443 port due to 8443 using iptables
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80:443 -j REDIRECT --to-ports 8443
when i browse like https protocol everything is working, but when from http, i can just donwnload a file, and don't see anything
8443 port is intended mainly to use as HTTPS proxy. Sending plain HTTP to this port will not work. You should keep separated HTTP and HTTPS traffic by sending them to a different port (normally 8080) of your transparent proxy.
using this rule :
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80:443 -j REDIRECT --to-ports 8443
you allowed only incoming traffic to to be sent to port 8443, but still the outgoing traffic needs to be routed
my server has two ip's:
# IP one: 192.168.45.1 (allow MYSQL on Port 3306)
# IP two: 192.168.45.2 (disallow MYSQL on Port 3306)
.
how can i configure iptables, to drop incoming connections for a specific IP and allow it to the other?
.
#
# Allow MYSQL-Port only for 192.168.45.1!
#
/sbin/iptables -A INPUT -p tcp 192.168.45.1 --dport 3306 -j ACCEPT
/sbin/iptables -A INPUT -p tcp 192.168.45.2 --dport 3306 -j DROP
# END SCRIPT
this seems not to work.. :-(
Rather than enforcing this at the firewall level, have MySQL bind to 192.168.45.1 with the bind-address option. Add this to /etc/my.cnf:
bind-address=192.168.45.1
I think you want:
/sbin/iptables -A INPUT -p tcp -d 192.168.45.1 --dport 3306 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -d 192.168.45.2 --dport 3306 -j DROP