[Techtalk] iptables help

Rachel McConnell rachel at xtreme.com
Thu Jan 26 09:41:48 EST 2006 

Hello Experts,

I'm trying to allow a machine in my office, "qbert", to use a mysql 
database on "tempest", which resides in a colo behind a firewall.  I am 
familiar with the firewall and have created an IP-specific hole in it 
that I'm quite confident of.

tempest also uses iptables, even after packets have been passed on from 
the firewall.  I have done Things with iptables on tempest but I'm not 
strong at iptables so I believe this is where I've gone wrong.  Needless 
to say qbert cannot currently get through to mysql on tempest.  I'm 
hoping for some debugging help!

iptables rules on tempest look like the below.  The line I believe ought 
to apply is the 7th one, with dpt:mysql.  (At first I tried making this 
specific to qbert's IP address, and then tried no IP restriction when 
that didn't work.)

tempest:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere    anywhere            state 
RELATED,ESTABLISHED
ACCEPT     all  --  localhost   anywhere
ACCEPT     tcp  --  anywhere    anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere    anywhere            state NEW tcp dpt:www
ACCEPT     tcp  --  anywhere    anywhere            state NEW tcp dpt:https
ACCEPT     tcp  --  anywhere    anywhere            state NEW tcp dpt:3000
ACCEPT     tcp  --  anywhere    anywhere            state NEW tcp dpt:mysql
ACCEPT     tcp  --  1.2.3.4/26  anywhere            state NEW tcp 
dpt:postgresql
ACCEPT     tcp  --  anywhere    anywhere            tcp dpt:ntp
ACCEPT     udp  --  anywhere    anywhere            udp dpt:ntp
ACCEPT     tcp  --  anywhere    anywhere            tcp dpt:domain
ACCEPT     udp  --  anywhere    anywhere            udp dpt:domain
ACCEPT     icmp --  1.2.3.4     anywhere
REJECT     all  --  anywhere    anywhere            reject-with 
icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source      destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source      destination


I can telnet from qbert to tempest on 3306, the mysql default port, but 
the connection breaks almost immediately and it doesn't produce the 
usual mysql Stuff.  Before I had the firewall hole open, if I tried to 
connect via a mysql client I got an error message:

ERROR 2003 (HY000): Can't connect to MySQL server on 'tempest' (10061)

which is the client telling me the server isn't responding.  After the 
firewall hole, attempting to connect via a mysql client produces 
nothing, no connection, no error message.  It just hangs.


To make changes to iptables, i did this:

# iptables-save > temp.txt
# vi temp.txt (to make the changes I wanted)
# cat temp.txt | iptables-restore

 From what I've read, I thought that iptables-restore actually re-loaded 
the rules, so that they'd immediately apply, but the behavior I'm seeing 
makes me think maybe it doesn't?  And I need to apply them by hand?

Other thoughts also much appreciated!

thanks,
Rachel

PS we also have boxen named zaxxon & digdug - yay 80's arcade games!

More information about the Techtalk mailing list