[Techtalk] iptables help - it was mysql all along
Rachel McConnell
rachel at xtreme.com
Fri Jan 27 03:50:00 EST 2006
Thanks to those who replied to me! The problem is solved.
Embarrassingly, the trouble turned out not to be iptables at all; I DID
do it correctly. But mysql was set to accept connections only from
localhost, and I'd previously thought that mysql handled filtering by
where the connection came from only at the individual user level (e.g.
grant all on dbname.* to 'username'@'host' identified by 'password' will
only allow that user to connect from 'host'). Turns out there's also a
setting in my.cnf:
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
bind-address = 127.0.0.1
I commented this out and restarted the mysql server and voila! remote
connections accepted.
Thanks again,
Rachel
Rachel McConnell wrote:
> Hello Experts,
>
> I'm trying to allow a machine in my office, "qbert", to use a mysql
> database on "tempest", which resides in a colo behind a firewall. I am
> familiar with the firewall and have created an IP-specific hole in it
> that I'm quite confident of.
>
> tempest also uses iptables, even after packets have been passed on from
> the firewall. I have done Things with iptables on tempest but I'm not
> strong at iptables so I believe this is where I've gone wrong. Needless
> to say qbert cannot currently get through to mysql on tempest. I'm
> hoping for some debugging help!
>
> iptables rules on tempest look like the below. The line I believe ought
> to apply is the 7th one, with dpt:mysql. (At first I tried making this
> specific to qbert's IP address, and then tried no IP restriction when
> that didn't work.)
>
> tempest:~# iptables -L
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT all -- localhost anywhere
> ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
> ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:www
> ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
> ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:3000
> ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:mysql
> ACCEPT tcp -- 1.2.3.4/26 anywhere state NEW tcp
> dpt:postgresql
> ACCEPT tcp -- anywhere anywhere tcp dpt:ntp
> ACCEPT udp -- anywhere anywhere udp dpt:ntp
> ACCEPT tcp -- anywhere anywhere tcp dpt:domain
> ACCEPT udp -- anywhere anywhere udp dpt:domain
> ACCEPT icmp -- 1.2.3.4 anywhere
> REJECT all -- anywhere anywhere reject-with
> icmp-port-unreachable
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
>
> I can telnet from qbert to tempest on 3306, the mysql default port, but
> the connection breaks almost immediately and it doesn't produce the
> usual mysql Stuff. Before I had the firewall hole open, if I tried to
> connect via a mysql client I got an error message:
>
> ERROR 2003 (HY000): Can't connect to MySQL server on 'tempest' (10061)
>
> which is the client telling me the server isn't responding. After the
> firewall hole, attempting to connect via a mysql client produces
> nothing, no connection, no error message. It just hangs.
>
>
> To make changes to iptables, i did this:
>
> # iptables-save > temp.txt
> # vi temp.txt (to make the changes I wanted)
> # cat temp.txt | iptables-restore
>
> From what I've read, I thought that iptables-restore actually re-loaded
> the rules, so that they'd immediately apply, but the behavior I'm seeing
> makes me think maybe it doesn't? And I need to apply them by hand?
>
> Other thoughts also much appreciated!
>
> thanks,
> Rachel
>
> PS we also have boxen named zaxxon & digdug - yay 80's arcade games!
> _______________________________________________
> Techtalk mailing list
> Techtalk at linuxchix.org
> http://linuxchix.org/cgi-bin/mailman/listinfo/techtalk
More information about the Techtalk
mailing list