Hi, On Thu, Feb 4, 2010 at 4:24 PM, Nd'wex Common <flexycat@gmail.com> wrote:
Hi,
I have mysql database hosted on a linux server [centos 5.4] and i would like to access the database from another machine from the network i have made the follwing configuration to iptables:
iptables -A INPUT -p tcp -s 202.54.1.50 --sport 1024:65535 -d 202.54.1.20 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 202.54.1.20 --sport 3306 -d 202.54.1.50 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
the ip addresses here are not real.
A is for append. So you are appending the rule to the end of the INPUT chain. That won't work with RH based systems since you probably have a chain RH-Firewall-1-INPUT that has an explicit drop/reject (see below). In AA: incoming-pkt----------->INPUT_CHAIN->RH-Firewall-1-INPUT----->Any other rule/Chain In iptables -n -L -v Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 136M 166G RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0 .... .... Chain RH-Firewall-1-INPUT (2 references) pkts bytes target prot opt in out source destination 19M 1128M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 1945 155K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 255 0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 2515 648K ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:631 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:631 117M 165G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 28 2888 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 15965 8222K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited What you need to do is: - Insert (-I) the rule into RH-Firewall-1-INPUT prior to the REJECT/DROP (Say at position 10 = Around the allow port 22 traffic ) or - INPUT chain (Position 1 before "136M 166G RH-Firewall-1-INPUT" ). Option 1 above is the preferred way. Easiest way to do this? - Edit /etc/sysconfig/iptables by hand and add the rule before the reject statement and restart iptables service (Remember to do the same for IPV6) or use system-config-securitylevel-tui e.g 'system-config-securitylevel-tui -q -p 3306:tcp' then edit the /etc/sysconfig/iptables End result # iptables -n -L -v Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 136M 166G RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0 .... .... Chain RH-Firewall-1-INPUT (2 references) pkts bytes target prot opt in out source destination 19M 1128M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 1945 155K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 255 0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 2515 648K ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:631 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:631 117M 165G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 28 2888 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3306 15965 8222K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited NB: As an exercise, find out why you should add the rule after "allow state RELATED,ESTABLISHED" :)
when i try to access the server even by telneting it wont work, where could i be going wrong?
all assistance will be highly appreciated
Nd'wex
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Server donations spreadsheet
http://spreadsheets.google.com/ccc?key=0AopdHkqSqKL-dHlQVTMxU1VBdU1BSWJxdy1f... ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general