Centos

啟用 IPTables 時 LAN 上的 MySQL 無法正常工作

  • October 23, 2014

我有兩個 Centos 虛擬機。

IP 地址如下:

  • VM_1 => 10.99.0.10
  • VM_2 => 10.99.0.12

Apache 和 PHP 在 VM_1 中,而 MySQL 在 VM_2 中。兩者都有 iptables 規則。VM_2 可以正常使用規則。現在我正在從 VM_1 進行測試。

首先,我禁用了 VM_1 iptables 並連接到 VM_2 MySQL(連接成功)。

[root@foster ~]# service iptables stop
iptables: Applying firewall rules:                         [  OK  ]
[root@foster ~]# mysql -h 10.99.0.12 -u root -p
Enter password:

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 16
Server version: 5.6.21 MySQL Community Server (GPL)
...

其次,我啟用了 VM_1 iptables 並連接到 VM_2 MySQL(它也不會在幾個小時內響應)。

[root@foster ~]# service iptables start
iptables: Applying firewall rules:                         [  OK  ]
[root@foster ~]# mysql -h 10.99.0.12 -u root -p
Enter password:

我的 iptables 規則有什麼問題?是我的 iptables 規則:

[root@foster ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
ACCEPT     udp  --  anywhere             anywhere            udp spt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh state N                                                     EW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http state                                                      NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https state                                                      NEW,ESTABLISHED
ACCEPT     tcp  --  10.99.0.12           anywhere            tcp dpt:mysql state                                                      NEW,ESTABLISHED
ACCEPT     tcp  --  localhost            anywhere            tcp dpt:mysql state                                                      NEW,ESTABLISHED
LOGGING    all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:ssh state E                                                     STABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:http state                                                      ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:https state                                                      ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:mysql state                                                      ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:mysql state                                                      ESTABLISHED

Chain LOGGING (1 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere            limit: avg 2/min bu                                                     rst 5 LOG level debug prefix `IPTables Dropped -:- '
DROP       all  --  anywhere             anywhere

問題是您不允許建立與 MySQL 的新連接,並且您顛倒了 sport 和 dport :

Chain INPUT (policy DROP)
...
ACCEPT     tcp  --  10.99.0.12 anywhere  tcp dpt:mysql state   NEW,ESTABLISHED
ACCEPT     tcp  --  localhost  anywhere  tcp dpt:mysql state   NEW,ESTABLISHED
...

Chain OUTPUT (policy DROP)
...
ACCEPT     tcp  --  anywhere   anywhere  tcp spt:mysql state   ESTABLISHED
ACCEPT     tcp  --  anywhere   anywhere  tcp spt:mysql state   ESTABLISHED
...

正確的iptables -L輸出應該是:

Chain INPUT (policy DROP)
...
ACCEPT     tcp  --  10.99.0.12 anywhere  tcp spt:mysql state   ESTABLISHED
ACCEPT     tcp  --  localhost  anywhere  tcp spt:mysql state   ESTABLISHED
...

Chain OUTPUT (policy DROP)
...
ACCEPT     tcp  --  anywhere   anywhere  tcp dpt:mysql state   NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere   anywhere  tcp dpt:mysql state   NEW,ESTABLISHED
...

引用自:https://serverfault.com/questions/639138