HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   General (http://www.howtoforge.com/forums/forumdisplay.php?f=25)
-   -   Remote MySQL gone sideways (http://www.howtoforge.com/forums/showthread.php?t=54208)

john boy 21st September 2011 06:18

Remote MySQL gone sideways
 
Hi all
Need to setup Remote access via port 3306
Followed this help file
/etc/Bastille/bastille-firewall.cfg
Add port 3306 to line below so it reads
TCP_PUBLIC_SERVICES="21 22 25 53 80 81 110 143 443 3306 10000"

Restart firewall -
/etc/init.d/bastille-firewall restart
then
/etc/mysql/my.cnf
bind-address = *.*.*.*
/etc/init.d/mysql restart

No sites, admn console and no putty via wan
No admin console, buthave sites and putty via lan

This didn't work caus I was using Failban2 hummm...
So i just changed it back
Still not working via lan

Please Help any direction is good

John Boy

till 21st September 2011 10:44

The bind-address = *.*.*.* is wrong. To configure mysql to listen on all interfaces you have to comment out the bind address line.

Regarding batsille firewall, never edit the config files manually, use always the ispconfig interface.

john boy 21st September 2011 11:31

Thanks Till for the reply

But as I said "So i just changed it back"
So Iremarked out the bind-address = *.*.*.*
restarted service
This has the result of putty, website and admin console is access by lan access only
Still no access via WAN address

Mark_NL 21st September 2011 12:09

- Add 3306 to the firewall config VIA ISPConfig web admin.
- comment "bind-address" in my.cnf
- restart mysql
- show us the output of:
Code:

netstat -tapn | grep 3306
iptables-save


john boy 22nd September 2011 03:09

Thanks Mark for that pointer

netstat -tapn | grep 3306
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 3023/mysqld

Still no acess to sites, console or Putty to server via WAN
But have full LAN access

john boy 22nd September 2011 04:29

Add this as well

netstat -tap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 localhost:10025 *:* LISTEN 1268/master
tcp 0 0 *:mysql *:* LISTEN 6044/mysqld
tcp 0 0 *:www *:* LISTEN 1369/apache2
tcp 0 0 *:81 *:* LISTEN 1369/apache2
tcp 0 0 *:tproxy *:* LISTEN 1369/apache2
tcp 0 0 *:ftp *:* LISTEN 1281/pure-ftpd (SER
tcp 0 0 econ2.accc.net.a:domain *:* LISTEN 915/named
tcp 0 0 localhost:domain *:* LISTEN 915/named
tcp 0 0 *:ssh *:* LISTEN 792/sshd
tcp 0 0 *:smtp *:* LISTEN 1268/master
tcp 0 0 localhost:953 *:* LISTEN 915/named
tcp 0 0 *:https *:* LISTEN 1369/apache2
tcp 0 0 econ2.accc.net.au:ssh ns3.accc.net.au:2874 ESTABLISHED 2569/sshd: root@not
tcp 0 0 econ2.accc.net.au:ssh ns3.accc.net.au:3210 ESTABLISHED 2933/sshd: root@not
tcp 0 52 econ2.accc.net.au:ssh ns3.accc.net.au:3725 ESTABLISHED 5874/0
tcp6 0 0 [::]:imaps [::]:* LISTEN 1144/couriertcpd
tcp6 0 0 [::]:pop3s [::]:* LISTEN 1178/couriertcpd
tcp6 0 0 [::]:pop3 [::]:* LISTEN 1158/couriertcpd
tcp6 0 0 [::]:imap2 [::]:* LISTEN 1124/couriertcpd
tcp6 0 0 [::]:ftp [::]:* LISTEN 1281/pure-ftpd (SER
tcp6 0 0 [::]:domain [::]:* LISTEN 915/named
tcp6 0 0 [::]:ssh [::]:* LISTEN 792/sshd
tcp6 0 0 localhost:953 [::]:* LISTEN 915/named

john boy 22nd September 2011 04:55

# iptables-save
# Generated by iptables-save v1.4.4 on Thu Sep 22 11:45:20 2011
*mangle
:PREROUTING ACCEPT [11429:913259]
:INPUT ACCEPT [4593:539925]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3563:2232985]
:POSTROUTING ACCEPT [3551:2229025]
COMMIT
# Completed on Thu Sep 22 11:45:20 2011
# Generated by iptables-save v1.4.4 on Thu Sep 22 11:45:20 2011
*nat
:PREROUTING ACCEPT [7118:414299]
:OUTPUT ACCEPT [188:11459]
:POSTROUTING ACCEPT [188:11459]
COMMIT
# Completed on Thu Sep 22 11:45:20 2011
# Generated by iptables-save v1.4.4 on Thu Sep 22 11:45:20 2011
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [439:37815]
:INT_IN - [0:0]
:INT_OUT - [0:0]
:PAROLE - [0:0]
:PUB_IN - [0:0]
:PUB_OUT - [0:0]
:fail2ban-ssh - [0:0]
-A INPUT -d 127.0.0.0/8 ! -i lo -p tcp -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 224.0.0.0/4 -j DROP
-A INPUT -i eth+ -j PUB_IN
-A INPUT -i ppp+ -j PUB_IN
-A INPUT -i slip+ -j PUB_IN
-A INPUT -i venet+ -j PUB_IN
-A INPUT -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j DROP
-A OUTPUT -o eth+ -j PUB_OUT
-A OUTPUT -o ppp+ -j PUB_OUT
-A OUTPUT -o slip+ -j PUB_OUT
-A OUTPUT -o venet+ -j PUB_OUT
-A INT_IN -p icmp -j ACCEPT
-A INT_IN -j DROP
-A INT_OUT -p icmp -j ACCEPT
-A INT_OUT -j ACCEPT
-A PAROLE -j ACCEPT
-A PUB_IN -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A PUB_IN -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A PUB_IN -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PUB_IN -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A PUB_IN -p tcp -m tcp --dport 20 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 21 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 22 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 25 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 53 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 80 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 81 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 110 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 143 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 443 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 3306 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 8080 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 8081 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 10000 -j PAROLE
-A PUB_IN -p udp -m udp --dport 53 -j ACCEPT
-A PUB_IN -p udp -m udp --dport 80 -j ACCEPT
-A PUB_IN -p udp -m udp --dport 3306 -j ACCEPT
-A PUB_IN -p icmp -j DROP
-A PUB_IN -j DROP
-A PUB_OUT -j ACCEPT
-A fail2ban-ssh -j RETURN
COMMIT

Mark_NL 22nd September 2011 10:10

Ok, so we know mysql is running on all interfaces and there are rules in the firewall that should allow connections from the outside.

- Is there a router between your server and the WAN which possibly need some port forwarding?
- Clear your iptables and try to connect (so we can exclude the firewall if the problem still occurs)

john boy 22nd September 2011 10:57

There is a router with forwarding on ports all working

Clear iptable is done by
# iptables --flush
Done and still no luck

Mark_NL 22nd September 2011 11:40

Your INPUT is defaulted to DROP

so you might want to be sure and set it to ACCEPT :)

you want this to be sure everything is cleared:
Code:

Chain INPUT (policy ACCEPT)
target    prot opt source              destination

Chain FORWARD (policy ACCEPT)
target    prot opt source              destination       

Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination

then try to connect from the WAN (remeber that when you try to conncet to the external ip from within your own local network some routers don't know how to handle this, so try from a completely differnt machine outside of your network


All times are GMT +2. The time now is 02:45.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.