Hi, I have mysql database hosted on a linux server [centos 5.4] and i would like to access the database from another machine from the network i have made the follwing configuration to iptables: iptables -A INPUT -p tcp -s 202.54.1.50 --sport 1024:65535 -d 202.54.1.20 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp -s 202.54.1.20 --sport 3306 -d 202.54.1.50 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT the ip addresses here are not real. when i try to access the server even by telneting it wont work, where could i be going wrong? all assistance will be highly appreciated Nd'wex
What if you do away with the --sport on both rules if you must not have them. Do you need the second rule? If not, delete it. -----Original Message----- From: Nd'wex Common <flexycat@gmail.com> Reply-to: Skunkworks Forum <skunkworks@lists.my.co.ke> To: Skunkworks forum <skunkworks@lists.my.co.ke> Subject: Re: [Skunkworks] iptables & mysql Date: Thu, 4 Feb 2010 15:24:35 +0300 --sport
On Thu, Feb 4, 2010 at 3:24 PM, Nd'wex Common <flexycat@gmail.com> wrote:
Hi,
I have mysql database hosted on a linux server [centos 5.4] and i would like to access the database from another machine from the network i have made the follwing configuration to iptables:
Hi, Is your mysql listening on the network interfaces? Maybe it's bound to loopback interface only. Do a netstat -an | grep 3306 and see if this is the case.
iptables -A INPUT -p tcp -s 202.54.1.50 --sport 1024:65535 -d 202.54.1.20 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 202.54.1.20 --sport 3306 -d 202.54.1.50 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
Have you tried testing after flushing all rules? that's the sure-fire way to know if it's your firewall config that's broken. BR, S -- Sent from my socks®
Possibly you should run the reverse of the iptables on client and server: SERVER: iptables -A OUTPUT -p tcp -s 202.54.1.20 --sport 3306 -d 202.54.1.50 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -s 202.54.1.50 --sport 1024:65535 -d 202.54.1.20 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT CLIENT: iptables -A INPUT -p tcp -s 202.54.1.20 --sport 3306 -d 202.54.1.50 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp -s 202.54.1.50 --sport 1024:65535 -d 202.54.1.20 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT ....depending on which is server/client... Can both access each other with iptables -FLUSH ? ./bernard On Thu, Feb 4, 2010 at 3:24 PM, Nd'wex Common <flexycat@gmail.com> wrote:
Hi,
I have mysql database hosted on a linux server [centos 5.4] and i would like to access the database from another machine from the network i have made the follwing configuration to iptables:
iptables -A INPUT -p tcp -s 202.54.1.50 --sport 1024:65535 -d 202.54.1.20 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 202.54.1.20 --sport 3306 -d 202.54.1.50 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
the ip addresses here are not real.
when i try to access the server even by telneting it wont work, where could i be going wrong?
all assistance will be highly appreciated
Nd'wex
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Server donations spreadsheet
http://spreadsheets.google.com/ccc?key=0AopdHkqSqKL-dHlQVTMxU1VBdU1BSWJxdy1f... ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
i've typed in the following command: service iptables stop After which access from the remote machine it worked quite well netstat indicates that the port 3306 is bound to both loopback as well as the machines actual ip address On Thu, Feb 4, 2010 at 3:40 PM, Bernard Mwagiru <bmwagiru@gmail.com> wrote:
Possibly you should run the reverse of the iptables on client and server: SERVER:
iptables -A OUTPUT -p tcp -s 202.54.1.20 --sport 3306 -d 202.54.1.50 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 202.54.1.50 --sport 1024:65535 -d 202.54.1.20 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
CLIENT:
iptables -A INPUT -p tcp -s 202.54.1.20 --sport 3306 -d 202.54.1.50 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 202.54.1.50 --sport 1024:65535 -d 202.54.1.20 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
....depending on which is server/client... Can both access each other with iptables -FLUSH ?
./bernard
On Thu, Feb 4, 2010 at 3:24 PM, Nd'wex Common <flexycat@gmail.com> wrote:
Hi,
I have mysql database hosted on a linux server [centos 5.4] and i would like to access the database from another machine from the network i have made the follwing configuration to iptables:
iptables -A INPUT -p tcp -s 202.54.1.50 --sport 1024:65535 -d 202.54.1.20 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 202.54.1.20 --sport 3306 -d 202.54.1.50 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
the ip addresses here are not real.
when i try to access the server even by telneting it wont work, where could i be going wrong?
all assistance will be highly appreciated
Nd'wex
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Server donations spreadsheet
http://spreadsheets.google.com/ccc?key=0AopdHkqSqKL-dHlQVTMxU1VBdU1BSWJxdy1f... ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Server donations spreadsheet
http://spreadsheets.google.com/ccc?key=0AopdHkqSqKL-dHlQVTMxU1VBdU1BSWJxdy1f... ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
On Thu, Feb 4, 2010 at 3:58 PM, Nd'wex Common <flexycat@gmail.com> wrote:
i've typed in the following command: service iptables stop
After which access from the remote machine it worked quite well
netstat indicates that the port 3306 is bound to both loopback as well as the machines actual ip address
Good, then; iptables -A INPUT -s <remote_ip> -p tcp --dport 3306 -j ACCEPT should do. BR, S -- Sent from my socks®
Hello guys, Service iptables stop killed the iptables service but did not solve your problem. Assuming you have a linux router with two NIC cards - one connected to the LAN and the other one to the internet; We need to understand how the IPtables work in order to efficiently use them to route/manage our traffic. We always want to start with defining the policies in IPTables. The policies are the default rules that are applied in case your traffic does NOT match any filters you have set. So if you want to allow only certain things in or out of your network and there is a default Deny all at the end - just like junos/juniper/cisco etc - any traffic that is not allowed by any of your filters will be denied. This is called rules matching. The 3 policies that need to be set are: *INPUT, FORWARD* and *OUTPUT*. This is the most important part! - The policies define the default action for the *DEFAULT CHAINS, * - *INPUT *- traffic *COMING TO* the machine directly - *OUTPUT* - traffic *GOING FROM* the machine directly - *FORWARD* - traffic *COMING FROM* or *GOING TO* a networked machine on the other side of the firewall The 2 actions you can set in these policies are *ACCEPT and DROP*. With that in mind, you will never be afraid of IPtables. all the best Francis On Thu, Feb 4, 2010 at 4:16 PM, Steve Muchai <smuchai@gmail.com> wrote:
On Thu, Feb 4, 2010 at 3:58 PM, Nd'wex Common <flexycat@gmail.com> wrote:ys
i've typed in the following command: service iptables stop
After which access from the remote machine it worked quite well
netstat indicates that the port 3306 is bound to both loopback as well as the machines actual ip address
Good, then; iptables -A INPUT -s <remote_ip> -p tcp --dport 3306 -j ACCEPT
should do.
BR, S
-- Sent from my socks® _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Server donations spreadsheet
http://spreadsheets.google.com/ccc?key=0AopdHkqSqKL-dHlQVTMxU1VBdU1BSWJxdy1f... ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
On Thu, Feb 4, 2010 at 4:57 PM, francis kamau <kfransys@gmail.com> wrote: [.....]
The 2 actions you can set in these policies are ACCEPT and DROP.
You really don't want to set your default policy to ACCEPT. Should be DROP, and then write rules to create exemptions. BR, S -- Sent from my socks®
You are appending a rule On Fri, Feb 5, 2010 at 10:07 AM, Steve Muchai <smuchai@gmail.com> wrote: On Thu, Feb 4, 2010 at 4:57 PM, francis kamau <kfransys@gmail.com> wrote: [.....] > > The 2 actions you can set in these policies are ACCEPT and DROP. > You really don't want to set your default policy to ACCEPT. Should be DROP, and then write rules to create exemptions. BR, S -- Sent from my socks® _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Server donations spreadsheet http://spreadsheets.google.com/ccc?key=0AopdHkqSqKL-dHlQVTMxU1VBdU1BSWJxdy1fbjAwOUE&hl=en ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
On Fri, Feb 5, 2010 at 11:20 AM, Lmwangi <lmwangi@gmail.com> wrote:
You are appending a rule
On Fri, Feb 5, 2010 at 10:07 AM, Steve Muchai <smuchai@gmail.com> wrote:
On Thu, Feb 4, 2010 at 4:57 PM, francis kamau <kfransys@gmail.com> wrote: [.....]
The 2 actions you can set in these policies are ACCEPT and DROP.
You really don't want to set your default policy to ACCEPT. Should be DROP, and then write rules to create exemptions.
BR, S
-- Sent from my socks® _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Server donations spreadsheet
http://spreadsheets.google.com/ccc?key=0AopdHkqSqKL-dHlQVTMxU1VBdU1BSWJxdy1f... ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Server donations spreadsheet
http://spreadsheets.google.com/ccc?key=0AopdHkqSqKL-dHlQVTMxU1VBdU1BSWJxdy1f... ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
This is pretty confusing, I have to understand the setup to help solve this. Whats more you offered suggestions so guys are thinkin along your line which is losing me more. If problem not solved be on xchat and state the problem clearly. Just my line of thinking n btw its proprietary. :) Rgrds -- Conservatism is the adherence to the old tried against the new untried.
Hi, On Thu, Feb 4, 2010 at 4:24 PM, Nd'wex Common <flexycat@gmail.com> wrote:
Hi,
I have mysql database hosted on a linux server [centos 5.4] and i would like to access the database from another machine from the network i have made the follwing configuration to iptables:
iptables -A INPUT -p tcp -s 202.54.1.50 --sport 1024:65535 -d 202.54.1.20 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 202.54.1.20 --sport 3306 -d 202.54.1.50 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
the ip addresses here are not real.
A is for append. So you are appending the rule to the end of the INPUT chain. That won't work with RH based systems since you probably have a chain RH-Firewall-1-INPUT that has an explicit drop/reject (see below). In AA: incoming-pkt----------->INPUT_CHAIN->RH-Firewall-1-INPUT----->Any other rule/Chain In iptables -n -L -v Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 136M 166G RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0 .... .... Chain RH-Firewall-1-INPUT (2 references) pkts bytes target prot opt in out source destination 19M 1128M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 1945 155K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 255 0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 2515 648K ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:631 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:631 117M 165G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 28 2888 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 15965 8222K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited What you need to do is: - Insert (-I) the rule into RH-Firewall-1-INPUT prior to the REJECT/DROP (Say at position 10 = Around the allow port 22 traffic ) or - INPUT chain (Position 1 before "136M 166G RH-Firewall-1-INPUT" ). Option 1 above is the preferred way. Easiest way to do this? - Edit /etc/sysconfig/iptables by hand and add the rule before the reject statement and restart iptables service (Remember to do the same for IPV6) or use system-config-securitylevel-tui e.g 'system-config-securitylevel-tui -q -p 3306:tcp' then edit the /etc/sysconfig/iptables End result # iptables -n -L -v Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 136M 166G RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0 .... .... Chain RH-Firewall-1-INPUT (2 references) pkts bytes target prot opt in out source destination 19M 1128M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 1945 155K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 255 0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 2515 648K ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:631 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:631 117M 165G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 28 2888 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3306 15965 8222K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited NB: As an exercise, find out why you should add the rule after "allow state RELATED,ESTABLISHED" :)
when i try to access the server even by telneting it wont work, where could i be going wrong?
all assistance will be highly appreciated
Nd'wex
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Server donations spreadsheet
http://spreadsheets.google.com/ccc?key=0AopdHkqSqKL-dHlQVTMxU1VBdU1BSWJxdy1f... ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
participants (7)
-
Alex Nderitu -
Bernard Mwagiru -
francis kamau -
George Njoroge -
Lmwangi -
Nd'wex Common -
Steve Muchai