[Techtalk] iptables help
Rachel McConnell
rachel at xtreme.com
Thu Jan 26 09:41:48 EST 2006
Hello Experts,
I'm trying to allow a machine in my office, "qbert", to use a mysql
database on "tempest", which resides in a colo behind a firewall. I am
familiar with the firewall and have created an IP-specific hole in it
that I'm quite confident of.
tempest also uses iptables, even after packets have been passed on from
the firewall. I have done Things with iptables on tempest but I'm not
strong at iptables so I believe this is where I've gone wrong. Needless
to say qbert cannot currently get through to mysql on tempest. I'm
hoping for some debugging help!
iptables rules on tempest look like the below. The line I believe ought
to apply is the 7th one, with dpt:mysql. (At first I tried making this
specific to qbert's IP address, and then tried no IP restriction when
that didn't work.)
tempest:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT all -- localhost anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:www
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:3000
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:mysql
ACCEPT tcp -- 1.2.3.4/26 anywhere state NEW tcp
dpt:postgresql
ACCEPT tcp -- anywhere anywhere tcp dpt:ntp
ACCEPT udp -- anywhere anywhere udp dpt:ntp
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT icmp -- 1.2.3.4 anywhere
REJECT all -- anywhere anywhere reject-with
icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
I can telnet from qbert to tempest on 3306, the mysql default port, but
the connection breaks almost immediately and it doesn't produce the
usual mysql Stuff. Before I had the firewall hole open, if I tried to
connect via a mysql client I got an error message:
ERROR 2003 (HY000): Can't connect to MySQL server on 'tempest' (10061)
which is the client telling me the server isn't responding. After the
firewall hole, attempting to connect via a mysql client produces
nothing, no connection, no error message. It just hangs.
To make changes to iptables, i did this:
# iptables-save > temp.txt
# vi temp.txt (to make the changes I wanted)
# cat temp.txt | iptables-restore
From what I've read, I thought that iptables-restore actually re-loaded
the rules, so that they'd immediately apply, but the behavior I'm seeing
makes me think maybe it doesn't? And I need to apply them by hand?
Other thoughts also much appreciated!
thanks,
Rachel
PS we also have boxen named zaxxon & digdug - yay 80's arcade games!
More information about the Techtalk
mailing list