[Techtalk] iptables help

[Wim De Smet]

On 1/25/06, Rachel McConnell <rachel at xtreme.com> wrote:
> Hello Experts,
>
> I'm trying to allow a machine in my office, "qbert", to use a mysql
> database on "tempest", which resides in a colo behind a firewall.  I am
> familiar with the firewall and have created an IP-specific hole in it
> that I'm quite confident of.
>
> tempest also uses iptables, even after packets have been passed on from
> the firewall.  I have done Things with iptables on tempest but I'm not
> strong at iptables so I believe this is where I've gone wrong.  Needless
> to say qbert cannot currently get through to mysql on tempest.  I'm
> hoping for some debugging help!
>
> iptables rules on tempest look like the below.  The line I believe ought
> to apply is the 7th one, with dpt:mysql.  (At first I tried making this
> specific to qbert's IP address, and then tried no IP restriction when
> that didn't work.)
>
> tempest:~# iptables -L
>[...]
> ACCEPT     tcp  --  anywhere    anywhere            state NEW tcp dpt:mysql
>[...]

Okay so this is the INPUT chain, where you have a packet incoming for
port mysql. You match the packet becs it's from a NEW connection, and
to the mysql port. The mysql server sends a response (ehm a SYN/ACK?,
memory's rusty). In comes another packet (ACK?) which is part of an
ESTABLISHED connection (traffic in both ways). This no longer matches
this rule since the state is now "ESTABLISHED". So I think that's
where your problem is. (for the behaviour you want I'd suggest
dropping the state NEW part)

Mind you, I'm no expert so I could be 100% pathologically wrong. :)

greets,
Wim