启用IPTables后,局域网上的MySQL无法正常工作

1

我有两个Centos VM。

IP地址如下:

  • VM_1 => 10.99.0.10
  • VM_2 => 10.99.0.12

Apache和PHP在VM_1中,而MySQL在VM_2中。两者都有iptables规则。VM_2使用规则正常。现在,我正在从VM_1进行测试。

首先,我禁用了 VM_1 iptables并连接到VM_2 MySQL(已成功连接)。

[root@foster ~]# service iptables stop
iptables: Applying firewall rules:                         [  OK  ]
[root@foster ~]# mysql -h 10.99.0.12 -u root -p
Enter password:

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 16
Server version: 5.6.21 MySQL Community Server (GPL)
...

其次,我启用了 VM_1 iptables并连接到VM_2 MySQL(它也从未在数小时之内响应)。

[root@foster ~]# service iptables start
iptables: Applying firewall rules:                         [  OK  ]
[root@foster ~]# mysql -h 10.99.0.12 -u root -p
Enter password:

我的iptables规则有什么问题?是我的iptables规则:

[root@foster ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
ACCEPT     udp  --  anywhere             anywhere            udp spt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh state N                                                     EW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http state                                                      NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https state                                                      NEW,ESTABLISHED
ACCEPT     tcp  --  10.99.0.12           anywhere            tcp dpt:mysql state                                                      NEW,ESTABLISHED
ACCEPT     tcp  --  localhost            anywhere            tcp dpt:mysql state                                                      NEW,ESTABLISHED
LOGGING    all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:ssh state E                                                     STABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:http state                                                      ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:https state                                                      ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:mysql state                                                      ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:mysql state                                                      ESTABLISHED

Chain LOGGING (1 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere            limit: avg 2/min bu                                                     rst 5 LOG level debug prefix `IPTables Dropped -:- '
DROP       all  --  anywhere             anywhere
centos  mysql  iptables  firewall  centos6.5 
福斯特软件
source
我认为iptables -L问题本身中VM_1 的输出将有所帮助
msrd0 2014年
@ msrd0,iptables -L显示了此pastebin.com/byQ8Ee4c
Foster Software

Answers:

1

问题是您不允许建立与MySQL的新连接,并且将sport和dport颠倒了:

Chain INPUT (policy DROP)
...
ACCEPT     tcp  --  10.99.0.12 anywhere  tcp dpt:mysql state   NEW,ESTABLISHED
ACCEPT     tcp  --  localhost  anywhere  tcp dpt:mysql state   NEW,ESTABLISHED
...

Chain OUTPUT (policy DROP)
...
ACCEPT     tcp  --  anywhere   anywhere  tcp spt:mysql state   ESTABLISHED
ACCEPT     tcp  --  anywhere   anywhere  tcp spt:mysql state   ESTABLISHED
...

正确的iptables -L输出应该是:

Chain INPUT (policy DROP)
...
ACCEPT     tcp  --  10.99.0.12 anywhere  tcp spt:mysql state   ESTABLISHED
ACCEPT     tcp  --  localhost  anywhere  tcp spt:mysql state   ESTABLISHED
...

Chain OUTPUT (policy DROP)
...
ACCEPT     tcp  --  anywhere   anywhere  tcp dpt:mysql state   NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere   anywhere  tcp dpt:mysql state   NEW,ESTABLISHED
...
泽维尔·卢卡斯(Xavier Lucas)
source
By using our site, you acknowledge that you have read and understand our Cookie Policy and Privacy Policy.
Licensed under cc by-sa 3.0 with attribution required.