Centos
啟用 IPTables 時 LAN 上的 MySQL 無法正常工作
我有兩個 Centos 虛擬機。
IP 地址如下:
- VM_1 => 10.99.0.10
- VM_2 => 10.99.0.12
Apache 和 PHP 在 VM_1 中,而 MySQL 在 VM_2 中。兩者都有 iptables 規則。VM_2 可以正常使用規則。現在我正在從 VM_1 進行測試。
首先,我禁用了 VM_1 iptables 並連接到 VM_2 MySQL(連接成功)。
[root@foster ~]# service iptables stop iptables: Applying firewall rules: [ OK ] [root@foster ~]# mysql -h 10.99.0.12 -u root -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 16 Server version: 5.6.21 MySQL Community Server (GPL) ...
其次,我啟用了 VM_1 iptables 並連接到 VM_2 MySQL(它也不會在幾個小時內響應)。
[root@foster ~]# service iptables start iptables: Applying firewall rules: [ OK ] [root@foster ~]# mysql -h 10.99.0.12 -u root -p Enter password:
我的 iptables 規則有什麼問題?這是我的 iptables 規則:
[root@foster ~]# iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp echo-reply ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT udp -- anywhere anywhere udp spt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state N EW,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:https state NEW,ESTABLISHED ACCEPT tcp -- 10.99.0.12 anywhere tcp dpt:mysql state NEW,ESTABLISHED ACCEPT tcp -- localhost anywhere tcp dpt:mysql state NEW,ESTABLISHED LOGGING all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT icmp -- anywhere anywhere icmp echo-reply ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp spt:ssh state E STABLISHED ACCEPT tcp -- anywhere anywhere tcp spt:http state ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spt:https state ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spt:mysql state ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spt:mysql state ESTABLISHED Chain LOGGING (1 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 2/min bu rst 5 LOG level debug prefix `IPTables Dropped -:- ' DROP all -- anywhere anywhere
問題是您不允許建立與 MySQL 的新連接,並且您顛倒了 sport 和 dport :
Chain INPUT (policy DROP) ... ACCEPT tcp -- 10.99.0.12 anywhere tcp dpt:mysql state NEW,ESTABLISHED ACCEPT tcp -- localhost anywhere tcp dpt:mysql state NEW,ESTABLISHED ... Chain OUTPUT (policy DROP) ... ACCEPT tcp -- anywhere anywhere tcp spt:mysql state ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spt:mysql state ESTABLISHED ...
正確的
iptables -L
輸出應該是:Chain INPUT (policy DROP) ... ACCEPT tcp -- 10.99.0.12 anywhere tcp spt:mysql state ESTABLISHED ACCEPT tcp -- localhost anywhere tcp spt:mysql state ESTABLISHED ... Chain OUTPUT (policy DROP) ... ACCEPT tcp -- anywhere anywhere tcp dpt:mysql state NEW,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:mysql state NEW,ESTABLISHED ...