Iptables bloqueando remoto MySQL remoto

1

Estou tentando configurar meu servidor (CentOS 6.9) para aceitar conexões MySQL remotas e estou preso na configuração do firewall.

Eu tenho tudo definido no lado do MySQL; Eu posso conectar através do telnet se eu parar o iptables, mas não quando estiver ativo.

Eu já tentei:

-A INPUT -i lo -p tcp -m tcp --dport 3306 -j ACCEPT 
-A INPUT -i eth0 -p tcp -m tcp --dport 3306 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 3306 -j ACCEPT 

Mas ainda recebo "conexão recusada" com o iptables ativo. O que estou fazendo errado?

EDIT: saída de iptables -L - line-numbers

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:mysql 
2    acctboth   all  --  anywhere             anywhere            
3    tcpchk     tcp  --  anywhere             anywhere            
4    udpchk     udp  --  anywhere             anywhere            
5    icmpchk    icmp --  anywhere             anywhere            
6    ipdrop_global  all  --  anywhere             anywhere            
7    input_custom  all  --  anywhere             anywhere            
8    ACCEPT     all  --  anywhere             anywhere            
9    ssh        tcp  --  anywhere             anywhere            state NEW tcp dpt:22022 
10   ACCEPT     icmp --  anywhere             anywhere            icmp echo-request limit: up to 2/sec burst 10 mode srcip 
11   LOG        icmp --  anywhere             anywhere            icmp echo-request limit: avg 5/min burst 5 LOG level error prefix 'ICMP_DROP ' 
12   DROP       icmp --  anywhere             anywhere            icmp echo-request 
13   ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply 
14   ACCEPT     icmp --  anywhere             anywhere            icmp fragmentation-needed 
15   ACCEPT     icmp --  anywhere             anywhere            icmp port-unreachable 
16   ACCEPT     icmp --  anywhere             anywhere            icmp host-unreachable 
17   ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded 
18   ACCEPT     icmp --  anywhere             anywhere            icmp parameter-problem 
19   ACCEPT     icmp --  anywhere             anywhere            icmp type 30 
20   ACCEPT     icmp --  anywhere             anywhere            state ESTABLISHED 
21   ACCEPT     tcp  --  103.21.244.0/22      anywhere            tcp dpt:http 
22   ACCEPT     tcp  --  103.22.200.0/22      anywhere            tcp dpt:http 
23   ACCEPT     tcp  --  103.31.4.0/22        anywhere            tcp dpt:http 
24   ACCEPT     tcp  --  104.16.0.0/12        anywhere            tcp dpt:http 
25   ACCEPT     tcp  --  108.162.192.0/18     anywhere            tcp dpt:http 
26   ACCEPT     tcp  --  131.0.72.0/22        anywhere            tcp dpt:http 
27   ACCEPT     tcp  --  141.101.64.0/18      anywhere            tcp dpt:http 
28   ACCEPT     tcp  --  162.158.0.0/15       anywhere            tcp dpt:http 
29   ACCEPT     tcp  --  172.64.0.0/13        anywhere            tcp dpt:http 
30   ACCEPT     tcp  --  173.245.48.0/20      anywhere            tcp dpt:http 
31   ACCEPT     tcp  --  188.114.96.0/20      anywhere            tcp dpt:http 
32   ACCEPT     tcp  --  190.93.240.0/20      anywhere            tcp dpt:http 
33   ACCEPT     tcp  --  197.234.240.0/22     anywhere            tcp dpt:http 
34   ACCEPT     tcp  --  198.41.128.0/17      anywhere            tcp dpt:http 
35   ACCEPT     tcp  --  vps.retireja.com.br  anywhere            tcp dpt:http 
36   ACCEPT     tcp  --  server.thenarcissistswife.com  anywhere            multiport dports ssh,http 
37   ACCEPT     icmp --  server.thenarcissistswife.com  anywhere            icmp echo-request 
38   ACCEPT     tcp  --  54.e2.adb8.ip4.static.sl-reverse.com  anywhere            multiport dports ssh,http 
39   ACCEPT     icmp --  54.e2.adb8.ip4.static.sl-reverse.com  anywhere            icmp echo-request 
40   ACCEPT     tcp  --  32.e0.acb8.ip4.static.sl-reverse.com  anywhere            multiport dports ssh,http 
41   ACCEPT     icmp --  32.e0.acb8.ip4.static.sl-reverse.com  anywhere            icmp echo-request 
42   ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain 
43   ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp 
44   ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh 
45   ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp 
46   ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:26 
47   ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain 
48   ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http 
49   ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pop3 
50   ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:imap 
51   ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https 
52   ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:urd 
53   ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:submission 
54   ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:infowave 
55   ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:radsec 
56   ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:sunclustergeo 
57   ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:gnunet 
58   ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:eli 
59   ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:sep 
60   ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:EtherNet/IP-1 
61   ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:nbx-ser 
62   ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:nbx-dir 
63   ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:imaps 
64   ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pop3s 
65   ACCEPT     udp  --  google-public-dns-b.google.com  anywhere            udp spt:domain 
66   ACCEPT     tcp  --  google-public-dns-b.google.com  anywhere            tcp spt:domain 
67   ACCEPT     udp  --  google-public-dns-a.google.com  anywhere            udp spt:domain 
68   ACCEPT     tcp  --  google-public-dns-a.google.com  anywhere            tcp spt:domain 
69   ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:22022 
70   ACCEPT     udp  --  anywhere             anywhere            udp dpt:22022 
71   ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
72   LOG        all  --  anywhere             anywhere            limit: avg 1/sec burst 5 LOG level warning prefix 'LOG_INPUT: ' 
73   DROP       all  --  anywhere             anywhere            
74   ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:mysql 
75   ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:mysql 
76   ACCEPT     tcp  --  vps.retireja.com.br  anywhere            tcp dpt:mysql 
77   ACCEPT     tcp  --  vps.retireja.com.br  anywhere            tcp dpt:mysql 

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         
1    tcpchk     tcp  --  anywhere             anywhere            
2    udpchk     udp  --  anywhere             anywhere            
3    icmpchk    icmp --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    cpanel-dovecot-solr  all  --  anywhere             anywhere            
2    acctboth   all  --  anywhere             anywhere            
3    tcpchk     tcp  --  anywhere             anywhere            
4    udpchk     udp  --  anywhere             anywhere            
5    icmpchk    icmp --  anywhere             anywhere            
6    output_custom  all  --  anywhere             anywhere            
7    ACCEPT     all  --  anywhere             anywhere            
8    ACCEPT     icmp --  anywhere             anywhere            state NEW,ESTABLISHED 
9    ACCEPT     icmp --  anywhere             server.thenarcissistswife.com icmp echo-reply 
10   ACCEPT     icmp --  anywhere             54.e2.adb8.ip4.static.sl-reverse.com icmp echo-reply 
11   ACCEPT     icmp --  anywhere             32.e0.acb8.ip4.static.sl-reverse.com icmp echo-reply 
12   ACCEPT     udp  --  anywhere             anywhere            udp dpt:saphostctrls 
13   ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:saphostctrls 
14   ACCEPT     udp  --  anywhere             anywhere            udp dpt:30000 
15   ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:30000 
16   ACCEPT     udp  --  anywhere             anywhere            udp dpt:pop3 
17   ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pop3 
18   ACCEPT     udp  --  anywhere             anywhere            udp dpt:nicname 
19   ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:nicname 
20   ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:rsync 
21   ACCEPT     udp  --  anywhere             anywhere            owner UID match root 
22   ACCEPT     icmp --  anywhere             anywhere            
23   ACCEPT     all  --  anywhere             anywhere            
24   ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp 
25   ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh 
26   ACCEPT     tcp  --  anywhere             gateway07.websitewelcome.com tcp dpt:smtp 
27   ACCEPT     tcp  --  anywhere             gateway03.websitewelcome.com tcp dpt:smtp 
28   ACCEPT     tcp  --  anywhere             gateway04.websitewelcome.com tcp dpt:smtp 
29   ACCEPT     tcp  --  anywhere             gateway05.websitewelcome.com tcp dpt:smtp 
30   ACCEPT     tcp  --  anywhere             gateway06.websitewelcome.com tcp dpt:smtp 
31   ACCEPT     tcp  --  anywhere             gateway09.websitewelcome.com tcp dpt:smtp 
32   ACCEPT     tcp  --  anywhere             gateway10.websitewelcome.com tcp dpt:smtp 
33   ACCEPT     tcp  --  anywhere             gateway11.websitewelcome.com tcp dpt:smtp 
34   ACCEPT     tcp  --  anywhere             gateway12.websitewelcome.com tcp dpt:smtp 
35   ACCEPT     tcp  --  anywhere             gateway13.websitewelcome.com tcp dpt:smtp 
36   ACCEPT     tcp  --  anywhere             gateway14.websitewelcome.com tcp dpt:smtp 
37   ACCEPT     tcp  --  anywhere             gateway15.websitewelcome.com tcp dpt:smtp 
38   ACCEPT     tcp  --  anywhere             gateway16.websitewelcome.com tcp dpt:smtp 
39   ACCEPT     tcp  --  anywhere             gateway02.websitewelcome.com tcp dpt:smtp 
40   ACCEPT     tcp  --  anywhere             gateway01.websitewelcome.com tcp dpt:smtp 
41   ACCEPT     tcp  --  anywhere             gateway08.websitewelcome.com tcp dpt:smtp 
42   ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp owner UID match mailnull 
43   LOG        tcp  --  anywhere             anywhere            ! owner UID match root multiport dports smtp,urd,submission limit: avg 1/sec burst 5 LOG level notice prefix 'OUTBOUND-SMTP : ' 
44   ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain ! owner UID match nobody 
45   ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain ! owner UID match nobody 
46   ACCEPT     udp  --  anywhere             google-public-dns-b.google.com udp dpt:domain 
47   ACCEPT     tcp  --  anywhere             google-public-dns-b.google.com tcp dpt:domain 
48   ACCEPT     udp  --  anywhere             google-public-dns-a.google.com udp dpt:domain 
49   ACCEPT     tcp  --  anywhere             google-public-dns-a.google.com tcp dpt:domain 
50   ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain owner UID match nobody limit: avg 20/sec burst 5 
51   ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain owner UID match nobody limit: avg 20/sec burst 5 
52   ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http 
53   ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https 
54   ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:urd 
55   ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:submission 
56   ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:gnunet 
57   ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:eli 
58   ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:sep 
59   ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:mysql 
60   ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:time 
61   ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:sms-chat 
62   ACCEPT     tcp  --  anywhere             anywhere            tcp spt:domain 
63   ACCEPT     tcp  --  anywhere             anywhere            tcp spt:ftp 
64   ACCEPT     tcp  --  anywhere             anywhere            tcp spt:ssh 
65   ACCEPT     tcp  --  anywhere             anywhere            tcp spt:22022 
66   ACCEPT     tcp  --  anywhere             anywhere            tcp spt:smtp 
67   ACCEPT     tcp  --  anywhere             anywhere            tcp spt:26 
68   ACCEPT     udp  --  anywhere             anywhere            udp spt:domain 
69   ACCEPT     tcp  --  anywhere             anywhere            tcp spt:http 
70   ACCEPT     tcp  --  anywhere             anywhere            tcp spt:pop3 
71   ACCEPT     tcp  --  anywhere             anywhere            tcp spt:imap 
72   ACCEPT     tcp  --  anywhere             anywhere            tcp spt:https 
73   ACCEPT     tcp  --  anywhere             anywhere            tcp spt:urd 
74   ACCEPT     tcp  --  anywhere             anywhere            tcp spt:submission 
75   ACCEPT     tcp  --  anywhere             anywhere            tcp spt:infowave 
76   ACCEPT     tcp  --  anywhere             anywhere            tcp spt:radsec 
77   ACCEPT     tcp  --  anywhere             anywhere            tcp spt:sunclustergeo 
78   ACCEPT     tcp  --  anywhere             anywhere            tcp spt:gnunet 
79   ACCEPT     tcp  --  anywhere             anywhere            tcp spt:eli 
80   ACCEPT     tcp  --  anywhere             anywhere            tcp spt:sep 
81   ACCEPT     tcp  --  anywhere             anywhere            tcp spt:EtherNet/IP-1 
82   ACCEPT     tcp  --  anywhere             anywhere            tcp spt:nbx-ser 
83   ACCEPT     tcp  --  anywhere             anywhere            tcp spt:nbx-dir 
84   ACCEPT     tcp  --  anywhere             anywhere            tcp spt:imaps 
85   ACCEPT     tcp  --  anywhere             anywhere            tcp spt:pop3s 
86   ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
87   LOG        all  --  anywhere             anywhere            limit: avg 1/sec burst 5 LOG level warning prefix 'LOG_OUTPUT: ' 
88   DROP       all  --  anywhere             anywhere            
89   ACCEPT     tcp  --  anywhere             anywhere            tcp spt:mysql 

Chain acctboth (2 references)
num  target     prot opt source               destination         

Chain cpanel-dovecot-solr (1 references)
num  target     prot opt source               destination         
1    ACCEPT     tcp  --  anywhere             anywhere            multiport sports 8984,7984 owner UID match cpanelsolr 
2    ACCEPT     tcp  --  anywhere             anywhere            multiport sports 8984,7984 owner UID match root 
3    REJECT     tcp  --  anywhere             anywhere            multiport sports 8984,7984 reject-with icmp-port-unreachable 

Chain icmpchk (3 references)
num  target     prot opt source               destination         

Chain input_custom (1 references)
num  target     prot opt source               destination         

Chain ipdrop_global (1 references)
num  target     prot opt source               destination         
1    DROP       all  --  43.255.190.0/23      anywhere            

Chain output_custom (1 references)
num  target     prot opt source               destination         

Chain ssh (1 references)
num  target     prot opt source               destination         
1    ACCEPT     all  --  supra.websitewelcome.com  anywhere            
2    ACCEPT     all  --  wizard2.hostgator.com  anywhere            
3    ACCEPT     all  --  wizard-backup.hostgator.com  anywhere            
4    ACCEPT     all  --  216-106-185-169.ds1-static.mia1.net.ststelecom.com  anywhere            
5    ACCEPT     all  --  12.96.160.0/24       anywhere            
6    ACCEPT     all  --  216.19.0.0/24        anywhere            
7               tcp  --  anywhere             anywhere            state NEW recent: SET name: DEFAULT side: source 
8    LOG        tcp  --  anywhere             anywhere            state NEW recent: CHECK seconds: 60 hit_count: 10 name: DEFAULT side: source limit: avg 10/min burst 5 LOG level notice prefix 'SSH-ATTACK : ' 
9    REJECT     tcp  --  anywhere             anywhere            state NEW recent: UPDATE seconds: 60 hit_count: 10 name: DEFAULT side: source reject-with tcp-reset 
10   ACCEPT     tcp  --  anywhere             anywhere            

Chain tcpchk (3 references)
num  target     prot opt source               destination         

Chain udpchk (3 references)
num  target     prot opt source               destination 
    
por diogo.abdalla 30.01.2018 / 18:46

1 resposta

1

Remover esta regra:

-A INPUT -p tcp -m tcp -j REJECT --reject-with tcp-reset

Você pode remover uma regra imprimindo os números de linha desta maneira:

iptables -L --line-numbers

e, em seguida, excluindo a linha pelo número da linha.

Por exemplo, se a linha incorreta for o número 7, então:

iptables -D INPUT 7
    
por 30.01.2018 / 19:16