O MySQL na LAN não está funcionando quando o IPTables está habilitado

1

Eu tenho duas VMs Centos.

Os endereços IP são os seguintes:

  • VM_1 = > 10.99.0.10
  • VM_2 = > 10.99.0.12

Apache e PHP estão no VM_1 e o MySQL está no VM_2. Ambos estão tendo regras de iptables. O VM_2 está funcionando bem com regras. Agora estou testando da VM_1.

Primeiro eu desabilitado VM_1 iptables e conecto ao VM_2 MySQL (conectado com êxito).

[root@foster ~]# service iptables stop
iptables: Applying firewall rules:                         [  OK  ]
[root@foster ~]# mysql -h 10.99.0.12 -u root -p
Enter password:

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 16
Server version: 5.6.21 MySQL Community Server (GPL)
...

Segundo, eu ativado VM_1 iptables e conectado ao VM_2 MySQL (Ele nunca responde em horas e horas também).

[root@foster ~]# service iptables start
iptables: Applying firewall rules:                         [  OK  ]
[root@foster ~]# mysql -h 10.99.0.12 -u root -p
Enter password:

O que há de errado com as regras do iptables? Aqui estão as minhas regras de iptables:

[root@foster ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
ACCEPT     udp  --  anywhere             anywhere            udp spt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh state N                                                     EW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http state                                                      NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https state                                                      NEW,ESTABLISHED
ACCEPT     tcp  --  10.99.0.12           anywhere            tcp dpt:mysql state                                                      NEW,ESTABLISHED
ACCEPT     tcp  --  localhost            anywhere            tcp dpt:mysql state                                                      NEW,ESTABLISHED
LOGGING    all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:ssh state E                                                     STABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:http state                                                      ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:https state                                                      ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:mysql state                                                      ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:mysql state                                                      ESTABLISHED

Chain LOGGING (1 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere            limit: avg 2/min bu                                                     rst 5 LOG level debug prefix 'IPTables Dropped -:- '
DROP       all  --  anywhere             anywhere
    
por Foster Software 23.10.2014 / 16:58

1 resposta

1

O problema é que você não permite que novas conexões sejam estabelecidas para o MySQL e você inverte o esporte e o dport:

Chain INPUT (policy DROP)
...
ACCEPT     tcp  --  10.99.0.12 anywhere  tcp dpt:mysql state   NEW,ESTABLISHED
ACCEPT     tcp  --  localhost  anywhere  tcp dpt:mysql state   NEW,ESTABLISHED
...

Chain OUTPUT (policy DROP)
...
ACCEPT     tcp  --  anywhere   anywhere  tcp spt:mysql state   ESTABLISHED
ACCEPT     tcp  --  anywhere   anywhere  tcp spt:mysql state   ESTABLISHED
...

A saída direita iptables -L deve ser:

Chain INPUT (policy DROP)
...
ACCEPT     tcp  --  10.99.0.12 anywhere  tcp spt:mysql state   ESTABLISHED
ACCEPT     tcp  --  localhost  anywhere  tcp spt:mysql state   ESTABLISHED
...

Chain OUTPUT (policy DROP)
...
ACCEPT     tcp  --  anywhere   anywhere  tcp dpt:mysql state   NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere   anywhere  tcp dpt:mysql state   NEW,ESTABLISHED
...
    
por 23.10.2014 / 17:21