Ich versuche, meinen Server (CentOS 6.9) so einzustellen, dass er Remote-MySQL-Verbindungen akzeptiert, und stecke bei der Firewall-Konfiguration fest.
Ich habe auf der MySQL-Seite alles richtig eingestellt. Ich kann mich über Telnet verbinden, wenn ich iptables stoppe, aber nicht, wenn es aktiv ist
Ich habe bereits versucht:
-A INPUT -i lo -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 3306 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 3306 -j ACCEPT
Aber ich bekomme immer noch die Meldung „Verbindung abgelehnt“, obwohl iptables aktiv ist. Was mache ich falsch?
BEARBEITEN: Ausgabe von iptables -L -x -v -n
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306
11 1122 acctboth all -- * * 0.0.0.0/0 0.0.0.0/0
5 372 tcpchk tcp -- !lo * 0.0.0.0/0 0.0.0.0/0
6 750 udpchk udp -- !lo * 0.0.0.0/0 0.0.0.0/0
0 0 icmpchk icmp -- !lo * 0.0.0.0/0 0.0.0.0/0
11 1122 ipdrop_global all -- * * 0.0.0.0/0 0.0.0.0/0
11 1122 input_custom all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ssh tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22022
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: up to 2/sec burst 10 mode srcip
0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 5/min burst 5 LOG flags 0 level 3 prefix `ICMP_DROP '
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 code 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 code 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 code 1
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 12
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 30
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
0 0 ACCEPT tcp -- * * 103.21.244.0/22 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 103.22.200.0/22 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 103.31.4.0/22 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 104.16.0.0/12 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 108.162.192.0/18 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 131.0.72.0/22 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 141.101.64.0/18 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 162.158.0.0/15 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 172.64.0.0/13 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 173.245.48.0/20 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 188.114.96.0/20 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 190.93.240.0/20 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 197.234.240.0/22 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 198.41.128.0/17 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 216.172.173.146 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 198.1.121.202 0.0.0.0/0 multiport dports 22,80
0 0 ACCEPT icmp -- * * 198.1.121.202 0.0.0.0/0 icmp type 8
0 0 ACCEPT tcp -- * * 184.173.226.84 0.0.0.0/0 multiport dports 22,80
0 0 ACCEPT icmp -- * * 184.173.226.84 0.0.0.0/0 icmp type 8
0 0 ACCEPT tcp -- * * 184.172.224.50 0.0.0.0/0 multiport dports 22,80
0 0 ACCEPT icmp -- * * 184.172.224.50 0.0.0.0/0 icmp type 8
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:26
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:143
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:465
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:587
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2082
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2083
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2084
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2086
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2087
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2089
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2222
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2095
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2096
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:993
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:995
0 0 ACCEPT udp -- * * 8.8.4.4 0.0.0.0/0 udp spt:53
0 0 ACCEPT tcp -- * * 8.8.4.4 0.0.0.0/0 tcp spt:53
6 750 ACCEPT udp -- * * 8.8.8.8 0.0.0.0/0 udp spt:53
0 0 ACCEPT tcp -- * * 8.8.8.8 0.0.0.0/0 tcp spt:53
5 372 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22022
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:22022
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix `LOG_INPUT: '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- lo * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- eth0 * 216.172.173.146 0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * 216.172.173.146 0.0.0.0/0 tcp dpt:3306
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 tcpchk tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 udpchk udp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 icmpchk icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
10 866 cpanel-dovecot-solr all -- * * 0.0.0.0/0 0.0.0.0/0
10 866 acctboth all -- * * 0.0.0.0/0 0.0.0.0/0
4 432 tcpchk tcp -- * !lo 0.0.0.0/0 0.0.0.0/0
6 434 udpchk udp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 icmpchk icmp -- * * 0.0.0.0/0 0.0.0.0/0
10 866 output_custom all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 198.1.121.202 icmp type 0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 184.173.226.84 icmp type 0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 184.172.224.50 icmp type 0
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1129
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1129
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:30000
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:30000
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:110
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:43
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:43
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:873
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 owner UID match 0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 74.52.223.18 tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0 74.52.223.66 tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0 64.5.52.7 tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0 64.5.52.8 tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0 64.5.52.9 tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0 64.5.52.12 tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0 64.5.52.13 tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0 64.5.52.14 tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0 67.18.137.84 tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0 67.18.137.85 tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0 67.18.137.86 tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0 67.18.137.87 tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0 67.18.137.88 tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0 74.52.222.226 tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0 74.52.222.242 tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0 74.52.223.2 tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 owner UID match 47
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 ! owner UID match 0 multiport dports 25,465,587 limit: avg 1/sec burst 5 LOG flags 0 level 5 prefix `OUTBOUND-SMTP : '
6 434 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 ! owner UID match 99
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 ! owner UID match 99
0 0 ACCEPT udp -- * * 0.0.0.0/0 8.8.4.4 udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 8.8.4.4 tcp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0 8.8.8.8 udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 8.8.8.8 tcp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 owner UID match 99 limit: avg 20/sec burst 5
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 owner UID match 99 limit: avg 20/sec burst 5
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:465
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:587
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2086
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2087
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2089
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:37
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2703
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22
4 432 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22022
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:26
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:110
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:143
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:465
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:587
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:2082
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:2083
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:2084
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:2086
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:2087
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:2089
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:2222
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:2095
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:2096
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:993
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:995
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix `LOG_OUTPUT: '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:3306
Chain acctboth (2 references)
pkts bytes target prot opt in out source destination
Chain cpanel-dovecot-solr (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport sports 8984,7984 owner UID match 490
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport sports 8984,7984 owner UID match 0
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport sports 8984,7984 reject-with icmp-port-unreachable
Chain icmpchk (3 references)
pkts bytes target prot opt in out source destination
Chain input_custom (1 references)
pkts bytes target prot opt in out source destination
Chain ipdrop_global (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 43.255.190.0/23 0.0.0.0/0
Chain output_custom (1 references)
pkts bytes target prot opt in out source destination
Chain ssh (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 67.18.2.226 0.0.0.0/0
0 0 ACCEPT all -- * * 50.23.47.206 0.0.0.0/0
0 0 ACCEPT all -- * * 70.87.80.194 0.0.0.0/0
0 0 ACCEPT all -- * * 216.106.185.169 0.0.0.0/0
0 0 ACCEPT all -- * * 12.96.160.0/24 0.0.0.0/0
0 0 ACCEPT all -- * * 216.19.0.0/24 0.0.0.0/0
0 0 tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW recent: SET name: DEFAULT side: source
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW recent: CHECK seconds: 60 hit_count: 10 name: DEFAULT side: source limit: avg 10/min burst 5 LOG flags 0 level 5 prefix `SSH-ATTACK : '
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW recent: UPDATE seconds: 60 hit_count: 10 name: DEFAULT side: source reject-with tcp-reset
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
Chain tcpchk (3 references)
pkts bytes target prot opt in out source destination
Chain udpchk (3 references)
pkts bytes target prot opt in out source destination
Antwort1
sehen Sie die Zeile „-A INPUT -j DROP“? Dadurch wird jeglicher Datenverkehr in der Eingabekette gelöscht, bevor er Ihre MySQL-Regeln erreicht, da Regeln von oben nach unten gelesen werden. Das „-A“ bedeutet „Anhängen“, daher werden alle nachfolgenden Regeln nach der Regel eingefügt, die alles löscht, sodass diese nie mit Datenverkehr übereinstimmen.
Sie haben auch ein ähnliches Problem mit Ihrer OUTPUT-Kette. Sie haben die Optionen a) -P DROP auf der Kette zu verwenden, wodurch standardmäßig als letzte Aktion gelöscht wird, wenn keine anderen übereinstimmen (und die aktuelle Regel entfernt wird), oder b) diese Regel ans Ende zu setzen, sodass sie nach allen anderen angehängt wird. Sie können auch -I zum Einfügen verwenden (wodurch die Regel an den Anfang gesetzt wird) statt -A, aber das ist meiner Meinung nach etwas verwirrend, wenn man es mit -A kombiniert.