Hi
I want to allow mysql connections to my server and I have added the following iptables.
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:mysql
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:mysql
Unfortunately they dont seem to be working
Could someone please provide the correct set of commands to enable mysql access via iptables?
Thank you
Damien
joker
April 10, 2018, 6:34am
2
What do you mean by saying it is not working?
What exactly are you doing(actually typed in commands)?
What is the exact error message you got?
What interfaces is your mysql server configured to listen to(netstat -ntlp)
Making mysql listen to non-local interfaces should done with care because it may open a security threat if not done properly.
joker:
What do you mean by saying it is not working?
What exactly are doing(actually typed in commands)?
What is the exact error message you got?
What interfaces is your mysql server configured to listen to(netstat -ntlp)?
I mean I still cannot connect to mysql on my remote server.
The commands I am using are as follows
iptables -I INPUT -p tcp -m tcp --dport 3306 -j ACCEPT;
iptables-save > /etc/sysconfig/iptables
service iptables restart
I dont get any error message - just mysql cannot connect and appears to hang.
The result of netstat -ntlp is as follows
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:48008 0.0.0.0:* LISTEN 29057/perl
tcp 0 0 0.0.0.0:48009 0.0.0.0:* LISTEN 29077/nimbus(cdm)
tcp 0 0 0.0.0.0:48010 0.0.0.0:* LISTEN 29058/nimbus(snmptd
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 6655/mysqld
tcp 0 0 0.0.0.0:48011 0.0.0.0:* LISTEN 29059/nimbus(proces
tcp 0 0 0.0.0.0:48012 0.0.0.0:* LISTEN 29060/nimbus(hdb)
tcp 0 0 127.0.0.1:38125 0.0.0.0:* LISTEN 340/magent
tcp 0 0 127.0.0.1:46413 0.0.0.0:* LISTEN 340/magent
tcp 0 0 0.0.0.0:48013 0.0.0.0:* LISTEN 29266/nimbus(logmon
tcp 0 0 0.0.0.0:8400 0.0.0.0:* LISTEN 23025/cvd
tcp 0 0 0.0.0.0:8402 0.0.0.0:* LISTEN 23026/EvMgrC
tcp 0 0 127.0.0.1:42581 0.0.0.0:* LISTEN 23025/cvd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 5398/sshd
tcp 0 0 0.0.0.0:60056 0.0.0.0:* LISTEN 23025/cvd
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 4899/master
tcp 0 0 127.0.0.1:8126 0.0.0.0:* LISTEN 322/trace-agent
tcp 0 0 0.0.0.0:8192 0.0.0.0:* LISTEN 339/mrouter
tcp 0 0 0.0.0.0:48000 0.0.0.0:* LISTEN 12718/nimbus(contro
tcp 0 0 0.0.0.0:8193 0.0.0.0:* LISTEN 339/mrouter
tcp 0 0 0.0.0.0:48001 0.0.0.0:* LISTEN 12721/nimbus(spoole
tcp 0 0 127.0.0.1:7777 0.0.0.0:* LISTEN 322/trace-agent
tcp 0 0 0.0.0.0:45249 0.0.0.0:* LISTEN 23026/EvMgrC
tcp 0 0 0.0.0.0:8194 0.0.0.0:* LISTEN 339/mrouter
tcp 0 0 127.0.0.1:17123 0.0.0.0:* LISTEN 324/python
tcp 0 0 0.0.0.0:48007 0.0.0.0:* LISTEN 12718/nimbus(contro
tcp 0 0 127.0.0.1:199 0.0.0.0:* LISTEN 5648/snmpd
tcp6 0 0 :::80 :::* LISTEN 1741/httpd
tcp6 0 0 :::52787 :::* LISTEN 1426/java
tcp6 0 0 :::22 :::* LISTEN 5398/sshd
tcp6 0 0 :::3000 :::* LISTEN 1426/java
tcp6 0 0 :::25 :::* LISTEN 4899/master
tcp6 0 0 :::443 :::* LISTEN 1741/httpd
tcp6 0 0 ::1:17123 :::* LISTEN 324/python
joker
April 10, 2018, 6:47am
4
Seems that the mysqld listening to all interfaces. That one checked and fine.
---
That points to a possible firewall issue with the mysql server just dropping the packages of the mysql-connection attempt, the mysql server is being blocked completely or the mysql server is not reachable via ip(check with ping!).
---
Please check if the mysql-port is open from the machine from which you are trying to connect:
nmap -p3306 -P0 ip.of.mysql.server
Check/Show your complete firewall rule set( iptables -L -v -n
):
joker:
Seems that the mysqld listening to all interfaces. That one checked and fine.
---
Please check if the mysql-port is open from the machine from which you are trying to connect:
nmap -p3306 -P0 ip.of.mysql.server
Check/Show your complete firewall rule set(iptables -L -v n):
This is the result of running the nmap command
Host is up.
PORT STATE SERVICE
3306/tcp filtered mysql
joker
April 10, 2018, 7:04am
6
That one is still open.
And for the record, the answer in the first place, which gets us most information about your situation and error to be able to best help you would have been this:
What I have executed is this: mysql -h 1.2.3.4
What I got is this: ERROR 2003 (HY000): Can't connect to MySQL server on '1.2.3.4' (101 "Network is unreachable")
Apologies - here is the result of that command
Chain INPUT (policy ACCEPT 323 packets, 123K bytes)
pkts bytes target prot opt in out source destination
5244 285K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 7357 packets, 19M bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306
when I run mysql -h 1.2.3.4 - it just hangs and cannot connect
---------- Post updated at 06:32 AM ---------- Previous update was at 06:20 AM ----------
The server is hosted by Rackspace.
Is there a chance the connection may be getting blocked by some firewall functionality in the admin console?
joker
April 10, 2018, 7:35am
8
Thanks for providing the requested informations.
The iptables rules are redundant. Everything is open and you additionally allowed the mysql port.
So that's likely not a firewall issue on your mysql server but somewhere between mysql-client and mysql-server is a component that does packet filtering. (Or possibly on your mysql-client machine, but highly unlikely. Just make sure you have no firewall rules configured on your client(iptables -L -v -n)).
So you must figure out which devices are between the mysql-server and client and doing the filtering.
joker:
Thanks for providing the requested informations.
The iptables rules are redundant. Everything is open and you additionally allowed the mysql port.
So that's likely not a firewall issue on your mysql server but somewhere between mysql-client and mysql-server is a component that does packet filtering. (Or possibly on your mysql-client machine, but highly unlikely. Just make sure you have no firewall rules configured on your client(iptables -L -v -n)).
So you must figure out which devices are between the mysql-server and client and doing the filtering.
I just checked the client and there are no firewall rules configured there.
My client is hosted on AWS and I have setup the security groups to allow all inbound and outbound traffic on all ports for now
I am not too familiar with Rackspace so perhaps they have something similar to Security groups that may be blocking the connections