For some reason mysql connections from a specific IP address aren't allowed. This is the rule I have (grabbed from iptables-save
):
-A INPUT -s 12.34.56.78/32 -p tcp -m state --state NEW -m multiport --dports 22,80,3306 -j ACCEPT
What's interesting here is that SSH connections and HTTP pages load perfectly without issue. I added 3306 for MySQL connections later, but they seem to be ignored. Why?
I'm on CentOS. I have restarted iptables service and have the IPTABLES_SAVE_ON_STOP/RESTART set to yes.
Running netstat -tunelp
shows me this:
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 27 8849593 10712/mysqld
Here is my full list of rules from iptables -L
:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- 192.168.1.0/24 anywhere state NEW multiport dports ssh,http,mysql
ACCEPT tcp -- some-resolved-hostname-1.com anywhere state NEW multiport dports ssh,http,mysql
ACCEPT tcp -- some-resolved-hostname-2.com anywhere state NEW multiport dports ssh,http,mysql
ACCEPT tcp -- some-resolved-hostname-3.com anywhere state NEW multiport dports ssh,http,mysql
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Note: There are no logs (including errors logs) on the server side. The error I get when trying to connect is:
D:\>mysql -u username -p -h 12.34.56.78
Enter password:
ERROR 2003 (HY000): Can't connect to MySQL server on '12.34.56.78' (10060)
Additionally (as this was from a Windows machine trying to connect) I tried this:
D:\>telnet 12.34.56.78 3306
Connecting To 12.34.56.78...Could not open connection to the host, on port 3306: Connect failed
Also note that skip_networking
is to to off
.
First, have you changed
my.cnf
to configure MySQL to listen for connections on the server's IP address? Your file should contain this line:bind-address = <public_ip_address_of_your_machine>
Second, have you given permission to the user connecting from that IP address to connect, in MySQL?
GRANT ALL ON example.* TO someuser@'12.34.56.78' IDENTIFIED BY 'PASSWORD';
That would solve the issue if you are getting an error message similar to
"Access denied for user: '[email protected]' (Using password: YES)"
Last, make sure that your router has port-forwarding and firewall rules allowing incoming connections to the MySQL server.
I see --dports instead of --dport, maybe 22 and 80 works because they're allowed on another rule and it just can't apply this line?