iptables - allow MySql

damogallagher · April 10, 2018, 6:27am

Hi

I want to allow mysql connections to my server and I have added the following iptables.

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:mysql

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:mysql

Unfortunately they dont seem to be working
Could someone please provide the correct set of commands to enable mysql access via iptables?

Thank you
Damien

joker · April 10, 2018, 6:34am

What do you mean by saying it is not working?

What exactly are you doing(actually typed in commands)?
What is the exact error message you got?
What interfaces is your mysql server configured to listen to(netstat -ntlp)
Making mysql listen to non-local interfaces should done with care because it may open a security threat if not done properly.

damogallagher · April 10, 2018, 6:38am

I mean I still cannot connect to mysql on my remote server.
The commands I am using are as follows

iptables -I INPUT -p tcp -m tcp --dport 3306 -j ACCEPT;
iptables-save > /etc/sysconfig/iptables
service iptables restart

I dont get any error message - just mysql cannot connect and appears to hang.

The result of netstat -ntlp is as follows

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:48008           0.0.0.0:*               LISTEN      29057/perl
tcp        0      0 0.0.0.0:48009           0.0.0.0:*               LISTEN      29077/nimbus(cdm)
tcp        0      0 0.0.0.0:48010           0.0.0.0:*               LISTEN      29058/nimbus(snmptd
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN      6655/mysqld
tcp        0      0 0.0.0.0:48011           0.0.0.0:*               LISTEN      29059/nimbus(proces
tcp        0      0 0.0.0.0:48012           0.0.0.0:*               LISTEN      29060/nimbus(hdb)
tcp        0      0 127.0.0.1:38125         0.0.0.0:*               LISTEN      340/magent
tcp        0      0 127.0.0.1:46413         0.0.0.0:*               LISTEN      340/magent
tcp        0      0 0.0.0.0:48013           0.0.0.0:*               LISTEN      29266/nimbus(logmon
tcp        0      0 0.0.0.0:8400            0.0.0.0:*               LISTEN      23025/cvd
tcp        0      0 0.0.0.0:8402            0.0.0.0:*               LISTEN      23026/EvMgrC
tcp        0      0 127.0.0.1:42581         0.0.0.0:*               LISTEN      23025/cvd
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      5398/sshd
tcp        0      0 0.0.0.0:60056           0.0.0.0:*               LISTEN      23025/cvd
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      4899/master
tcp        0      0 127.0.0.1:8126          0.0.0.0:*               LISTEN      322/trace-agent
tcp        0      0 0.0.0.0:8192            0.0.0.0:*               LISTEN      339/mrouter
tcp        0      0 0.0.0.0:48000           0.0.0.0:*               LISTEN      12718/nimbus(contro
tcp        0      0 0.0.0.0:8193            0.0.0.0:*               LISTEN      339/mrouter
tcp        0      0 0.0.0.0:48001           0.0.0.0:*               LISTEN      12721/nimbus(spoole
tcp        0      0 127.0.0.1:7777          0.0.0.0:*               LISTEN      322/trace-agent
tcp        0      0 0.0.0.0:45249           0.0.0.0:*               LISTEN      23026/EvMgrC
tcp        0      0 0.0.0.0:8194            0.0.0.0:*               LISTEN      339/mrouter
tcp        0      0 127.0.0.1:17123         0.0.0.0:*               LISTEN      324/python
tcp        0      0 0.0.0.0:48007           0.0.0.0:*               LISTEN      12718/nimbus(contro
tcp        0      0 127.0.0.1:199           0.0.0.0:*               LISTEN      5648/snmpd
tcp6       0      0 :::80                   :::*                    LISTEN      1741/httpd
tcp6       0      0 :::52787                :::*                    LISTEN      1426/java
tcp6       0      0 :::22                   :::*                    LISTEN      5398/sshd
tcp6       0      0 :::3000                 :::*                    LISTEN      1426/java
tcp6       0      0 :::25                   :::*                    LISTEN      4899/master
tcp6       0      0 :::443                  :::*                    LISTEN      1741/httpd
tcp6       0      0 ::1:17123               :::*                    LISTEN      324/python

joker · April 10, 2018, 6:47am

Seems that the mysqld listening to all interfaces. That one checked and fine.

---

That points to a possible firewall issue with the mysql server just dropping the packages of the mysql-connection attempt, the mysql server is being blocked completely or the mysql server is not reachable via ip(check with ping!).

---

Please check if the mysql-port is open from the machine from which you are trying to connect:

nmap -p3306 -P0 ip.of.mysql.server

Check/Show your complete firewall rule set( iptables -L -v -n ):

damogallagher · April 10, 2018, 6:49am

joker:

Seems that the mysqld listening to all interfaces. That one checked and fine.

---

Please check if the mysql-port is open from the machine from which you are trying to connect:
nmap -p3306 -P0 ip.of.mysql.server
Check/Show your complete firewall rule set(iptables -L -v n):

This is the result of running the nmap command

Host is up.
PORT     STATE    SERVICE
3306/tcp filtered mysql

joker · April 10, 2018, 7:04am

That one is still open.

And for the record, the answer in the first place, which gets us most information about your situation and error to be able to best help you would have been this:

What I have executed is this: mysql -h 1.2.3.4
What I got is this: ERROR 2003 (HY000): Can't connect to MySQL server on '1.2.3.4' (101 "Network is unreachable")

damogallagher · April 10, 2018, 7:32am

Apologies - here is the result of that command

Chain INPUT (policy ACCEPT 323 packets, 123K bytes)
 pkts bytes target     prot opt in     out     source               destination
 5244  285K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3306

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 7357 packets, 19M bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3306

when I run mysql -h 1.2.3.4 - it just hangs and cannot connect

---------- Post updated at 06:32 AM ---------- Previous update was at 06:20 AM ----------

The server is hosted by Rackspace.
Is there a chance the connection may be getting blocked by some firewall functionality in the admin console?

joker · April 10, 2018, 7:35am

Thanks for providing the requested informations.

The iptables rules are redundant. Everything is open and you additionally allowed the mysql port.

So that's likely not a firewall issue on your mysql server but somewhere between mysql-client and mysql-server is a component that does packet filtering. (Or possibly on your mysql-client machine, but highly unlikely. Just make sure you have no firewall rules configured on your client(iptables -L -v -n)).

So you must figure out which devices are between the mysql-server and client and doing the filtering.

damogallagher · April 10, 2018, 7:40am

I just checked the client and there are no firewall rules configured there.
My client is hosted on AWS and I have setup the security groups to allow all inbound and outbound traffic on all ports for now

I am not too familiar with Rackspace so perhaps they have something similar to Security groups that may be blocking the connections