Hi,<br><br><div class="gmail_quote">On Thu, Feb 4, 2010 at 4:24 PM, Nd&#39;wex Common <span dir="ltr">&lt;<a href="mailto:flexycat@gmail.com">flexycat@gmail.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hi,<br><br>I have mysql database hosted on a linux server [centos 5.4] and i would like to access the database from another machine from the network i have made the follwing configuration to iptables:<br><pre>iptables -A INPUT -p tcp -s 202.54.1.50 --sport 1024:65535 -d 202.54.1.20 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT<br>

iptables -A OUTPUT -p tcp -s 202.54.1.20 --sport 3306 -d 202.54.1.50 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT</pre>the ip addresses here are not real.<br></blockquote><div>A is for append. So you are appending the rule to the end of the INPUT chain. That won&#39;t work with RH based systems since you probably have a chain RH-Firewall-1-INPUT that has an explicit drop/reject (see below).  <br>
In AA:<br> incoming-pkt-----------&gt;INPUT_CHAIN-&gt;RH-Firewall-1-INPUT-----&gt;Any other rule/Chain<br><br>In iptables -n -L -v<br>Chain INPUT (policy ACCEPT 0 packets, 0 bytes)<br> pkts bytes target     prot opt in     out     source               destination         <br>
 136M  166G RH-Firewall-1-INPUT  all  --  *      *       <a href="http://0.0.0.0/0">0.0.0.0/0</a>            <a href="http://0.0.0.0/0">0.0.0.0/0</a> <br>....<br>....<br>Chain RH-Firewall-1-INPUT (2 references)<br> pkts bytes target     prot opt in     out     source               destination         <br>
  19M 1128M ACCEPT     all  --  lo     *       <a href="http://0.0.0.0/0">0.0.0.0/0</a>            <a href="http://0.0.0.0/0">0.0.0.0/0</a>           <br> 1945  155K ACCEPT     icmp --  *      *       <a href="http://0.0.0.0/0">0.0.0.0/0</a>            <a href="http://0.0.0.0/0">0.0.0.0/0</a>           icmp type 255 <br>
    0     0 ACCEPT     esp  --  *      *       <a href="http://0.0.0.0/0">0.0.0.0/0</a>            <a href="http://0.0.0.0/0">0.0.0.0/0</a>           <br>    0     0 ACCEPT     ah   --  *      *       <a href="http://0.0.0.0/0">0.0.0.0/0</a>            <a href="http://0.0.0.0/0">0.0.0.0/0</a>           <br>
 2515  648K ACCEPT     udp  --  *      *       <a href="http://0.0.0.0/0">0.0.0.0/0</a>            224.0.0.251         udp dpt:5353 <br>    0     0 ACCEPT     udp  --  *      *       <a href="http://0.0.0.0/0">0.0.0.0/0</a>            <a href="http://0.0.0.0/0">0.0.0.0/0</a>           udp dpt:631 <br>
    0     0 ACCEPT     tcp  --  *      *       <a href="http://0.0.0.0/0">0.0.0.0/0</a>            <a href="http://0.0.0.0/0">0.0.0.0/0</a>           tcp dpt:631 <br> 117M  165G ACCEPT     all  --  *      *       <a href="http://0.0.0.0/0">0.0.0.0/0</a>            <a href="http://0.0.0.0/0">0.0.0.0/0</a>           state RELATED,ESTABLISHED <br>
   28  2888 ACCEPT     tcp  --  *      *       <a href="http://0.0.0.0/0">0.0.0.0/0</a>            <a href="http://0.0.0.0/0">0.0.0.0/0</a>           state NEW tcp dpt:22 <br>15965 8222K REJECT     all  --  *      *       <a href="http://0.0.0.0/0">0.0.0.0/0</a>            <a href="http://0.0.0.0/0">0.0.0.0/0</a>           reject-with icmp-host-prohibited <br>
<br><br>What you need to do is:<br> - Insert (-I) the rule into RH-Firewall-1-INPUT prior to the  REJECT/DROP (Say at position 10 = Around the allow port 22 traffic ) <br>  or<br>  - INPUT chain (Position 1 before &quot;136M  166G RH-Firewall-1-INPUT&quot;  ).<br>
<br>Option 1 above is the preferred way. Easiest way to do this? <br> - Edit /etc/sysconfig/iptables by hand and add the rule before the reject statement and restart iptables service (Remember to do the same for IPV6)<br>
 or use system-config-securitylevel-tui e.g &#39;system-config-securitylevel-tui -q -p 3306:tcp&#39; then edit the /etc/sysconfig/iptables<br><br>End result<br># iptables -n -L -v<br>
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)<br>
 pkts bytes target     prot opt in     out     source               destination         <br>
 136M  166G RH-Firewall-1-INPUT  all  --  *      *       <a href="http://0.0.0.0/0">0.0.0.0/0</a>            <a href="http://0.0.0.0/0">0.0.0.0/0</a> <br>
....<br>
....<br>
Chain RH-Firewall-1-INPUT (2 references)<br>
 pkts bytes target     prot opt in     out     source               destination         <br>
  19M 1128M ACCEPT     all  --  lo     *       <a href="http://0.0.0.0/0">0.0.0.0/0</a>            <a href="http://0.0.0.0/0">0.0.0.0/0</a>           <br>
 1945  155K ACCEPT     icmp --  *      *       <a href="http://0.0.0.0/0">0.0.0.0/0</a>            <a href="http://0.0.0.0/0">0.0.0.0/0</a>           icmp type 255 <br>
    0     0 ACCEPT     esp  --  *      *       <a href="http://0.0.0.0/0">0.0.0.0/0</a>            <a href="http://0.0.0.0/0">0.0.0.0/0</a>           <br>
    0     0 ACCEPT     ah   --  *      *       <a href="http://0.0.0.0/0">0.0.0.0/0</a>            <a href="http://0.0.0.0/0">0.0.0.0/0</a>           <br>
 2515  648K ACCEPT     udp  --  *      *       <a href="http://0.0.0.0/0">0.0.0.0/0</a>            224.0.0.251         udp dpt:5353 <br>
    0     0 ACCEPT     udp  --  *      *       <a href="http://0.0.0.0/0">0.0.0.0/0</a>            <a href="http://0.0.0.0/0">0.0.0.0/0</a>           udp dpt:631 <br>
    0     0 ACCEPT     tcp  --  *      *       <a href="http://0.0.0.0/0">0.0.0.0/0</a>            <a href="http://0.0.0.0/0">0.0.0.0/0</a>           tcp dpt:631 <br>
 117M  165G ACCEPT     all  --  *      *       <a href="http://0.0.0.0/0">0.0.0.0/0</a>            <a href="http://0.0.0.0/0">0.0.0.0/0</a>           state RELATED,ESTABLISHED <br>
   28  2888 ACCEPT     tcp  --  *      *       <a href="http://0.0.0.0/0">0.0.0.0/0</a>            <a href="http://0.0.0.0/0">0.0.0.0/0</a>           state NEW tcp dpt:22 <br>  0  0 ACCEPT     tcp  --  *      *       <a href="http://0.0.0.0/0">0.0.0.0/0</a>            <a href="http://0.0.0.0/0">0.0.0.0/0</a>           state NEW tcp dpt:3306 <br>

15965 8222K REJECT     all  --  *      *       <a href="http://0.0.0.0/0">0.0.0.0/0</a>            <a href="http://0.0.0.0/0">0.0.0.0/0</a>           reject-with icmp-host-prohibited <br><br>NB:<br> As an exercise, find out why you should add the rule after &quot;allow state RELATED,ESTABLISHED&quot; :)<br>
<br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br>when i try to access the server even by telneting it wont work, where could i be going wrong?<br>

<br>all assistance will be highly appreciated<br><font color="#888888"><br>Nd&#39;wex<br>
</font><br>_______________________________________________<br>
Skunkworks mailing list<br>
<a href="mailto:Skunkworks@lists.my.co.ke">Skunkworks@lists.my.co.ke</a><br>
<a href="http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks" target="_blank">http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks</a><br>
------------<br>
Skunkworks Server donations spreadsheet<br>
<a href="http://spreadsheets.google.com/ccc?key=0AopdHkqSqKL-dHlQVTMxU1VBdU1BSWJxdy1fbjAwOUE&amp;hl=en" target="_blank">http://spreadsheets.google.com/ccc?key=0AopdHkqSqKL-dHlQVTMxU1VBdU1BSWJxdy1fbjAwOUE&amp;hl=en</a><br>

------------<br>
Skunkworks Rules<br>
<a href="http://my.co.ke/phpbb/viewtopic.php?f=24&amp;t=94" target="_blank">http://my.co.ke/phpbb/viewtopic.php?f=24&amp;t=94</a><br>
------------<br>
Other services @ <a href="http://my.co.ke" target="_blank">http://my.co.ke</a><br>
Other lists<br>
-------------<br>
Announce: <a href="http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce" target="_blank">http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce</a><br>
Science:  <a href="http://lists.my.co.ke/cgi-bin/mailman/listinfo/science" target="_blank">http://lists.my.co.ke/cgi-bin/mailman/listinfo/science</a><br>
kazi:     <a href="http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general" target="_blank">http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general</a><br></blockquote></div><br>