Linux
無法連接到“198.211.37.xx”上的 MySQL 伺服器
在過去的幾天裡,我嘗試了很多事情來解決
Can't connect to MySQL server
。我想描述到目前為止我所做的一切。
- 創建一個 mysql 使用者並授予所有權限。
- 將 0.0.0.0 綁定到
/etc/my.cnf
.- 更改 IP 表,如下所示:
Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 127.0.0.0/8 anywhere Admin tcp -- anywhere anywhere tcp dpt:caiccipc REJECT tcp -- anywhere anywhere tcp dpt:mysql reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere tcp dpt:caiccipc reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere tcp dpt:ssslic-mgr reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere tcp dpt:h323hostcallsc reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere tcp dpt:cadkey-tablet reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere tcp dpt:ufastro-instr reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere tcp dpt:5062 reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere tcp dpt:ca-2 reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere tcp dpt:5070 reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere tcp dpt:6060 reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere tcp dpt:8005 reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere tcp dpt:8009 reject-with icmp-port-unreachable REJECT udp -- anywhere anywhere udp dpt:itelserverport reject-with icmp-port-unreachable ACCEPT tcp -- 103.19.0.0/24 anywhere tcp dpt:mysql state NEW,ESTABLISHED DROP tcp -- 103.19.0.0/24 anywhere tcp dpt:mysql state NEW,ESTABLISHED DROP tcp -- 103.19.0.0/24 anywhere tcp dpt:mysql ACCEPT tcp -- 103.19.0.0/24 anywhere tcp dpt:mysql ACCEPT tcp -- 103.19.0.0/24 anywhere tcp dpt:mysql state NEW,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:mysql Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
- 我的 ‘198.211.37.xx’ 的 nmap 顯示如下:
PORT STATE SERVICE 1/tcp filtered tcpmux 2/tcp filtered compressnet 3/tcp filtered compressnet 4/tcp filtered unknown 5/tcp filtered rje 6/tcp filtered unknown 7/tcp filtered echo 8/tcp filtered unknown 9/tcp filtered discard 10/tcp filtered unknown 11/tcp filtered systat 12/tcp filtered unknown 13/tcp filtered daytime 14/tcp filtered unknown 15/tcp filtered netstat 16/tcp filtered unknown 17/tcp filtered qotd 18/tcp filtered msp 19/tcp filtered chargen 21/tcp open ftp 22/tcp filtered ssh 25/tcp open smtp 26/tcp open unknown 53/tcp open domain 80/tcp open http 110/tcp open pop3 143/tcp open imap 443/tcp open https 465/tcp open smtps 587/tcp open submission 993/tcp open imaps 995/tcp open pop3s 3306/tcp open mysql 8080/tcp open http-proxy
在完成所有這些之後,我仍然可以
Can't connect to MySQL server on '198.211.37.xx'
進入我的應用程序。我非常需要關於這個問題的專家建議。
我會親自剝離您的所有 iptables 配置並重新開始,使用此文件作為參考。
作為良好的實踐,我將執行“預設拒絕”規則,並明確允許您要執行的服務的連接(例如,分別用於 SSH 和 MySQL 的埠 22 和 3306)。根據本指南(請記住,您的系統可能需要更改命令):
首先,刷新所有現有規則:
iptables -F iptables -X
INPUT
然後,為,OUTPUT
和鏈添加預設策略FORWARD
,並允許環回連接 - 請注意,預設情況下這將允許所有出站訪問:iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -A INPUT -i lo -j ACCEPT
允許 SSH(替換
<SERVER_IP>
為您伺服器的公共 IP):iptables -A INPUT -p tcp -s 0.0.0.0/0 -d <SERVER_IP> --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
允許 MySQL(替換
<OTHER_SERVER_IP>
為您想要將 MySQL 訪問列入白名單的 IP 地址 - 我強烈建議您這樣做以避免您的 MySQL 埠對世界可見)。您可以對要公開訪問的所有埠重複以下操作:iptables -A INPUT -p tcp -s <OTHER_SERVER_IP> -d <SERVER_IP> --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
最後,丟棄所有其他入站流量:
iptables -A INPUT -j DROP