Estou tentando configurar meu servidor (CentOS 6.9) para aceitar conexões MySQL remotas e estou preso na configuração do firewall.
Eu tenho tudo definido no lado do MySQL; Eu posso conectar através do telnet se eu parar o iptables, mas não quando estiver ativo.
Eu já tentei:
-A INPUT -i lo -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 3306 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 3306 -j ACCEPT
Mas ainda recebo "conexão recusada" com o iptables ativo. O que estou fazendo errado?
EDIT: saída de iptables -L - line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT tcp -- anywhere anywhere tcp dpt:mysql
2 acctboth all -- anywhere anywhere
3 tcpchk tcp -- anywhere anywhere
4 udpchk udp -- anywhere anywhere
5 icmpchk icmp -- anywhere anywhere
6 ipdrop_global all -- anywhere anywhere
7 input_custom all -- anywhere anywhere
8 ACCEPT all -- anywhere anywhere
9 ssh tcp -- anywhere anywhere state NEW tcp dpt:22022
10 ACCEPT icmp -- anywhere anywhere icmp echo-request limit: up to 2/sec burst 10 mode srcip
11 LOG icmp -- anywhere anywhere icmp echo-request limit: avg 5/min burst 5 LOG level error prefix 'ICMP_DROP '
12 DROP icmp -- anywhere anywhere icmp echo-request
13 ACCEPT icmp -- anywhere anywhere icmp echo-reply
14 ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed
15 ACCEPT icmp -- anywhere anywhere icmp port-unreachable
16 ACCEPT icmp -- anywhere anywhere icmp host-unreachable
17 ACCEPT icmp -- anywhere anywhere icmp time-exceeded
18 ACCEPT icmp -- anywhere anywhere icmp parameter-problem
19 ACCEPT icmp -- anywhere anywhere icmp type 30
20 ACCEPT icmp -- anywhere anywhere state ESTABLISHED
21 ACCEPT tcp -- 103.21.244.0/22 anywhere tcp dpt:http
22 ACCEPT tcp -- 103.22.200.0/22 anywhere tcp dpt:http
23 ACCEPT tcp -- 103.31.4.0/22 anywhere tcp dpt:http
24 ACCEPT tcp -- 104.16.0.0/12 anywhere tcp dpt:http
25 ACCEPT tcp -- 108.162.192.0/18 anywhere tcp dpt:http
26 ACCEPT tcp -- 131.0.72.0/22 anywhere tcp dpt:http
27 ACCEPT tcp -- 141.101.64.0/18 anywhere tcp dpt:http
28 ACCEPT tcp -- 162.158.0.0/15 anywhere tcp dpt:http
29 ACCEPT tcp -- 172.64.0.0/13 anywhere tcp dpt:http
30 ACCEPT tcp -- 173.245.48.0/20 anywhere tcp dpt:http
31 ACCEPT tcp -- 188.114.96.0/20 anywhere tcp dpt:http
32 ACCEPT tcp -- 190.93.240.0/20 anywhere tcp dpt:http
33 ACCEPT tcp -- 197.234.240.0/22 anywhere tcp dpt:http
34 ACCEPT tcp -- 198.41.128.0/17 anywhere tcp dpt:http
35 ACCEPT tcp -- vps.retireja.com.br anywhere tcp dpt:http
36 ACCEPT tcp -- server.thenarcissistswife.com anywhere multiport dports ssh,http
37 ACCEPT icmp -- server.thenarcissistswife.com anywhere icmp echo-request
38 ACCEPT tcp -- 54.e2.adb8.ip4.static.sl-reverse.com anywhere multiport dports ssh,http
39 ACCEPT icmp -- 54.e2.adb8.ip4.static.sl-reverse.com anywhere icmp echo-request
40 ACCEPT tcp -- 32.e0.acb8.ip4.static.sl-reverse.com anywhere multiport dports ssh,http
41 ACCEPT icmp -- 32.e0.acb8.ip4.static.sl-reverse.com anywhere icmp echo-request
42 ACCEPT tcp -- anywhere anywhere tcp dpt:domain
43 ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
44 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
45 ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
46 ACCEPT tcp -- anywhere anywhere tcp dpt:26
47 ACCEPT udp -- anywhere anywhere udp dpt:domain
48 ACCEPT tcp -- anywhere anywhere tcp dpt:http
49 ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
50 ACCEPT tcp -- anywhere anywhere tcp dpt:imap
51 ACCEPT tcp -- anywhere anywhere tcp dpt:https
52 ACCEPT tcp -- anywhere anywhere tcp dpt:urd
53 ACCEPT tcp -- anywhere anywhere tcp dpt:submission
54 ACCEPT tcp -- anywhere anywhere tcp dpt:infowave
55 ACCEPT tcp -- anywhere anywhere tcp dpt:radsec
56 ACCEPT tcp -- anywhere anywhere tcp dpt:sunclustergeo
57 ACCEPT tcp -- anywhere anywhere tcp dpt:gnunet
58 ACCEPT tcp -- anywhere anywhere tcp dpt:eli
59 ACCEPT tcp -- anywhere anywhere tcp dpt:sep
60 ACCEPT tcp -- anywhere anywhere tcp dpt:EtherNet/IP-1
61 ACCEPT tcp -- anywhere anywhere tcp dpt:nbx-ser
62 ACCEPT tcp -- anywhere anywhere tcp dpt:nbx-dir
63 ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
64 ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s
65 ACCEPT udp -- google-public-dns-b.google.com anywhere udp spt:domain
66 ACCEPT tcp -- google-public-dns-b.google.com anywhere tcp spt:domain
67 ACCEPT udp -- google-public-dns-a.google.com anywhere udp spt:domain
68 ACCEPT tcp -- google-public-dns-a.google.com anywhere tcp spt:domain
69 ACCEPT tcp -- anywhere anywhere tcp dpt:22022
70 ACCEPT udp -- anywhere anywhere udp dpt:22022
71 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
72 LOG all -- anywhere anywhere limit: avg 1/sec burst 5 LOG level warning prefix 'LOG_INPUT: '
73 DROP all -- anywhere anywhere
74 ACCEPT tcp -- anywhere anywhere tcp dpt:mysql
75 ACCEPT tcp -- anywhere anywhere tcp dpt:mysql
76 ACCEPT tcp -- vps.retireja.com.br anywhere tcp dpt:mysql
77 ACCEPT tcp -- vps.retireja.com.br anywhere tcp dpt:mysql
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 tcpchk tcp -- anywhere anywhere
2 udpchk udp -- anywhere anywhere
3 icmpchk icmp -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 cpanel-dovecot-solr all -- anywhere anywhere
2 acctboth all -- anywhere anywhere
3 tcpchk tcp -- anywhere anywhere
4 udpchk udp -- anywhere anywhere
5 icmpchk icmp -- anywhere anywhere
6 output_custom all -- anywhere anywhere
7 ACCEPT all -- anywhere anywhere
8 ACCEPT icmp -- anywhere anywhere state NEW,ESTABLISHED
9 ACCEPT icmp -- anywhere server.thenarcissistswife.com icmp echo-reply
10 ACCEPT icmp -- anywhere 54.e2.adb8.ip4.static.sl-reverse.com icmp echo-reply
11 ACCEPT icmp -- anywhere 32.e0.acb8.ip4.static.sl-reverse.com icmp echo-reply
12 ACCEPT udp -- anywhere anywhere udp dpt:saphostctrls
13 ACCEPT tcp -- anywhere anywhere tcp dpt:saphostctrls
14 ACCEPT udp -- anywhere anywhere udp dpt:30000
15 ACCEPT tcp -- anywhere anywhere tcp dpt:30000
16 ACCEPT udp -- anywhere anywhere udp dpt:pop3
17 ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
18 ACCEPT udp -- anywhere anywhere udp dpt:nicname
19 ACCEPT tcp -- anywhere anywhere tcp dpt:nicname
20 ACCEPT tcp -- anywhere anywhere tcp dpt:rsync
21 ACCEPT udp -- anywhere anywhere owner UID match root
22 ACCEPT icmp -- anywhere anywhere
23 ACCEPT all -- anywhere anywhere
24 ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
25 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
26 ACCEPT tcp -- anywhere gateway07.websitewelcome.com tcp dpt:smtp
27 ACCEPT tcp -- anywhere gateway03.websitewelcome.com tcp dpt:smtp
28 ACCEPT tcp -- anywhere gateway04.websitewelcome.com tcp dpt:smtp
29 ACCEPT tcp -- anywhere gateway05.websitewelcome.com tcp dpt:smtp
30 ACCEPT tcp -- anywhere gateway06.websitewelcome.com tcp dpt:smtp
31 ACCEPT tcp -- anywhere gateway09.websitewelcome.com tcp dpt:smtp
32 ACCEPT tcp -- anywhere gateway10.websitewelcome.com tcp dpt:smtp
33 ACCEPT tcp -- anywhere gateway11.websitewelcome.com tcp dpt:smtp
34 ACCEPT tcp -- anywhere gateway12.websitewelcome.com tcp dpt:smtp
35 ACCEPT tcp -- anywhere gateway13.websitewelcome.com tcp dpt:smtp
36 ACCEPT tcp -- anywhere gateway14.websitewelcome.com tcp dpt:smtp
37 ACCEPT tcp -- anywhere gateway15.websitewelcome.com tcp dpt:smtp
38 ACCEPT tcp -- anywhere gateway16.websitewelcome.com tcp dpt:smtp
39 ACCEPT tcp -- anywhere gateway02.websitewelcome.com tcp dpt:smtp
40 ACCEPT tcp -- anywhere gateway01.websitewelcome.com tcp dpt:smtp
41 ACCEPT tcp -- anywhere gateway08.websitewelcome.com tcp dpt:smtp
42 ACCEPT tcp -- anywhere anywhere tcp dpt:smtp owner UID match mailnull
43 LOG tcp -- anywhere anywhere ! owner UID match root multiport dports smtp,urd,submission limit: avg 1/sec burst 5 LOG level notice prefix 'OUTBOUND-SMTP : '
44 ACCEPT udp -- anywhere anywhere udp dpt:domain ! owner UID match nobody
45 ACCEPT tcp -- anywhere anywhere tcp dpt:domain ! owner UID match nobody
46 ACCEPT udp -- anywhere google-public-dns-b.google.com udp dpt:domain
47 ACCEPT tcp -- anywhere google-public-dns-b.google.com tcp dpt:domain
48 ACCEPT udp -- anywhere google-public-dns-a.google.com udp dpt:domain
49 ACCEPT tcp -- anywhere google-public-dns-a.google.com tcp dpt:domain
50 ACCEPT udp -- anywhere anywhere udp dpt:domain owner UID match nobody limit: avg 20/sec burst 5
51 ACCEPT tcp -- anywhere anywhere tcp dpt:domain owner UID match nobody limit: avg 20/sec burst 5
52 ACCEPT tcp -- anywhere anywhere tcp dpt:http
53 ACCEPT tcp -- anywhere anywhere tcp dpt:https
54 ACCEPT tcp -- anywhere anywhere tcp dpt:urd
55 ACCEPT tcp -- anywhere anywhere tcp dpt:submission
56 ACCEPT tcp -- anywhere anywhere tcp dpt:gnunet
57 ACCEPT tcp -- anywhere anywhere tcp dpt:eli
58 ACCEPT tcp -- anywhere anywhere tcp dpt:sep
59 ACCEPT tcp -- anywhere anywhere tcp dpt:mysql
60 ACCEPT tcp -- anywhere anywhere tcp dpt:time
61 ACCEPT tcp -- anywhere anywhere tcp dpt:sms-chat
62 ACCEPT tcp -- anywhere anywhere tcp spt:domain
63 ACCEPT tcp -- anywhere anywhere tcp spt:ftp
64 ACCEPT tcp -- anywhere anywhere tcp spt:ssh
65 ACCEPT tcp -- anywhere anywhere tcp spt:22022
66 ACCEPT tcp -- anywhere anywhere tcp spt:smtp
67 ACCEPT tcp -- anywhere anywhere tcp spt:26
68 ACCEPT udp -- anywhere anywhere udp spt:domain
69 ACCEPT tcp -- anywhere anywhere tcp spt:http
70 ACCEPT tcp -- anywhere anywhere tcp spt:pop3
71 ACCEPT tcp -- anywhere anywhere tcp spt:imap
72 ACCEPT tcp -- anywhere anywhere tcp spt:https
73 ACCEPT tcp -- anywhere anywhere tcp spt:urd
74 ACCEPT tcp -- anywhere anywhere tcp spt:submission
75 ACCEPT tcp -- anywhere anywhere tcp spt:infowave
76 ACCEPT tcp -- anywhere anywhere tcp spt:radsec
77 ACCEPT tcp -- anywhere anywhere tcp spt:sunclustergeo
78 ACCEPT tcp -- anywhere anywhere tcp spt:gnunet
79 ACCEPT tcp -- anywhere anywhere tcp spt:eli
80 ACCEPT tcp -- anywhere anywhere tcp spt:sep
81 ACCEPT tcp -- anywhere anywhere tcp spt:EtherNet/IP-1
82 ACCEPT tcp -- anywhere anywhere tcp spt:nbx-ser
83 ACCEPT tcp -- anywhere anywhere tcp spt:nbx-dir
84 ACCEPT tcp -- anywhere anywhere tcp spt:imaps
85 ACCEPT tcp -- anywhere anywhere tcp spt:pop3s
86 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
87 LOG all -- anywhere anywhere limit: avg 1/sec burst 5 LOG level warning prefix 'LOG_OUTPUT: '
88 DROP all -- anywhere anywhere
89 ACCEPT tcp -- anywhere anywhere tcp spt:mysql
Chain acctboth (2 references)
num target prot opt source destination
Chain cpanel-dovecot-solr (1 references)
num target prot opt source destination
1 ACCEPT tcp -- anywhere anywhere multiport sports 8984,7984 owner UID match cpanelsolr
2 ACCEPT tcp -- anywhere anywhere multiport sports 8984,7984 owner UID match root
3 REJECT tcp -- anywhere anywhere multiport sports 8984,7984 reject-with icmp-port-unreachable
Chain icmpchk (3 references)
num target prot opt source destination
Chain input_custom (1 references)
num target prot opt source destination
Chain ipdrop_global (1 references)
num target prot opt source destination
1 DROP all -- 43.255.190.0/23 anywhere
Chain output_custom (1 references)
num target prot opt source destination
Chain ssh (1 references)
num target prot opt source destination
1 ACCEPT all -- supra.websitewelcome.com anywhere
2 ACCEPT all -- wizard2.hostgator.com anywhere
3 ACCEPT all -- wizard-backup.hostgator.com anywhere
4 ACCEPT all -- 216-106-185-169.ds1-static.mia1.net.ststelecom.com anywhere
5 ACCEPT all -- 12.96.160.0/24 anywhere
6 ACCEPT all -- 216.19.0.0/24 anywhere
7 tcp -- anywhere anywhere state NEW recent: SET name: DEFAULT side: source
8 LOG tcp -- anywhere anywhere state NEW recent: CHECK seconds: 60 hit_count: 10 name: DEFAULT side: source limit: avg 10/min burst 5 LOG level notice prefix 'SSH-ATTACK : '
9 REJECT tcp -- anywhere anywhere state NEW recent: UPDATE seconds: 60 hit_count: 10 name: DEFAULT side: source reject-with tcp-reset
10 ACCEPT tcp -- anywhere anywhere
Chain tcpchk (3 references)
num target prot opt source destination
Chain udpchk (3 references)
num target prot opt source destination
Remover esta regra:
-A INPUT -p tcp -m tcp -j REJECT --reject-with tcp-reset
Você pode remover uma regra imprimindo os números de linha desta maneira:
iptables -L --line-numbers
e, em seguida, excluindo a linha pelo número da linha.
Por exemplo, se a linha incorreta for o número 7, então:
iptables -D INPUT 7