Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Firewall issue

Status
Not open for further replies.
Borvik

Borvik

Programmer
Jan 2, 2002
1,392
US
I'm not sure what's going on anymore.

I've a FC4 installed on a server, it does web, mysql, and email.

The web and email still work fine, but mysql has thrown me for a loop.

Locally mysql works fine, and before just recently so did connecting to mysql remotely.

Lately though the connection hasn't been working, and when I do an nmap - port 3306 does not show up as being open.

I checked against another server (configured the same, as far as I knew), and nmap did show 3306 as being open.

This prompted me to check the iptables file. I compared the two, and they were identical (well, the working one had a couple more ACCEPTs to allow more ports - but I know what they were).

I went so far as to "service iptables stop" and 3306 still appears to be closed, and remote connections still don't work.

I'm thinking something else is blocking that port. What can I do to get this working again?

Thanks.
 
Sort by date Sort by votes
As far as I know, when you connect to mysql locally, you are connecting through a socket. Is mysql configured to listen on port 3306? Does lsof -Pni | grep 3306 show mysql as listening? i.e
Code: 
# lsof -Pni | grep 3306
mysqld     2017  mysql   11u  IPv4   7611       TCP *:3306 (LISTEN)

--== Anything can go wrong. It's just a matter of how far wrong it will go till people think its right. ==--
 
Upvote 0 Downvote
I have some software setup to connect locally specifically setting the port (and not the mysql.sock file).

Plus the server has two network cards, one to be able to receive mail from the internet (public IP), and an internal card for management use.

Running nmap on the public card I noticed the mysql port open, so I just tried connecting on that card and it is working (just to confirm mysql is listening).

I should probably close the mysql port on the public card, assuming I can figure out how to open it on the internal card.
 
Upvote 0 Downvote
Ok, I really need to get this working as I now notice an administration program is no longer connecting.

The server has two network cards (internal/external). Here is an nmap for each card:

Internal
Code: 
# nmap 192.100.100.10

Starting nmap 3.81 ( [URL unfurl="true"]http://www.insecure.org/nmap/[/URL] ) at 2007-09-27 17:08 EDT
Interesting ports on ****hidden****.com (192.100.100.10):
(The 1648 ports scanned but not shown below are in state: closed)
PORT     STATE    SERVICE
130/tcp  filtered cisco-fna
131/tcp  filtered cisco-tna
132/tcp  filtered cisco-sys
133/tcp  filtered statsrv
134/tcp  filtered ingres-net
135/tcp  filtered msrpc
136/tcp  filtered profile
137/tcp  filtered netbios-ns
138/tcp  filtered netbios-dgm
139/tcp  filtered netbios-ssn
140/tcp  filtered emfis-data
445/tcp  filtered microsoft-ds
3372/tcp filtered msdtc
5800/tcp open     vnc-http
5900/tcp open     vnc

Nmap finished: 1 IP address (1 host up) scanned in 6.464 seconds

External:
Code: 
# nmap xx.xxx.xxx.xxx

Starting nmap 3.81 ( [URL unfurl="true"]http://www.insecure.org/nmap/[/URL] ) at 2007-09-27 17:11 EDT
Interesting ports on ****hidden****.com (xx.xxx.xxx.xxx):
(The 1655 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE
22/tcp   open  ssh
24/tcp   open  priv-mail
25/tcp   open  smtp
80/tcp   open  http
110/tcp  open  pop3
111/tcp  open  rpcbind
143/tcp  open  imap
3306/tcp open  mysql

Nmap finished: 1 IP address (1 host up) scanned in 0.414 seconds

Here is my iptables:
Code: 
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 143 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

Any help would be greatly appreciated. If more info is needed, just ask.

Thanks.
 
Upvote 0 Downvote
Issue as root
Code: 
netstat -nap|grep 3306

I bet mysql it is bound to your external address. If it is not bound to 127.0.0.1:3306 you need make mysql bind to the internal address which should fix the issue.

If it is bound to 127.0.0.1 you will need a line like
Code: 
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -d <mysql.internal.ip.address> -j ACCEPT
in iptables to allow the internal interface and a line like
Code: 
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -d <mysql.external.ip.address> -j DROP
to deny on the external interface.

You might want to add this line before your REJECT line to log what you are dropping in /var/log/messages
Code: 
-A RH-Firewall-1-INPUT -j LOG --log-prefix 'UNDEFINED: ' --log-level info

 
Upvote 0 Downvote
I feel small right now. It was a really simple fix, and while all appearances showed a firewall issue - it wasn't. I don't know why I didn't think of it before, maybe I just needed to talk about it for a while.

Running an ifconfig is what clued me in on the problem. The internal adapter wasn't showing the IP address. This was odd, as it seemed to be responding to the ping, and the nmap.

Turns out an old PC of ours (runs legacy reporting applications on Win 95 or 98, I can't remember which) somehow through DHCP got the same address as the server causing an IP conflict.

Once I prevented this from happening and reinitialized the network on both PCs (old one first), the problem was solved.

I guess that's why iptables looked correct and wasn't working.

Thanks for getting my thinking processes straight guys.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

spamjim
  • Locked
  • Question
Sorting out NTFS filesystem issues
Replies
0
Views
236
spamjim
spamjim
theniteowl
  • Locked
  • Question
URGENT Permissions issue 1
Replies
6
Views
196
theniteowl
theniteowl
RedLinux
  • Locked
  • Question
Login session issues with HTTP headers
Replies
0
Views
129
RedLinux
RedLinux
nyck
  • Locked
  • Question
RHEL6.3 firewall issue
Replies
3
Views
161
nyck
nyck
PCHomepage
  • Locked
  • Question
.htaccess Issue
Replies
7
Views
161
PCHomepage
PCHomepage

Part and Inventory Search

Sponsor

Back
Top