Linux

無法連接到“198.211.37.xx”上的 MySQL 伺服器

  • April 27, 2015

在過去的幾天裡,我嘗試了很多事情來解決Can't connect to MySQL server。我想描述到目前為止我所做的一切。

  1. 創建一個 mysql 使用者並授予所有權限。
  2. 將 0.0.0.0 綁定到/etc/my.cnf.
  3. 更改 IP 表,如下所示:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  127.0.0.0/8          anywhere
Admin      tcp  --  anywhere             anywhere            tcp dpt:caiccipc
REJECT     tcp  --  anywhere             anywhere            tcp dpt:mysql reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere            tcp dpt:caiccipc reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere            tcp dpt:ssslic-mgr reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere            tcp dpt:h323hostcallsc reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere            tcp dpt:cadkey-tablet reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere            tcp dpt:ufastro-instr reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere            tcp dpt:5062 reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere            tcp dpt:ca-2 reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere            tcp dpt:5070 reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere            tcp dpt:6060 reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere            tcp dpt:8005 reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere            tcp dpt:8009 reject-with icmp-port-unreachable
REJECT     udp  --  anywhere             anywhere            udp dpt:itelserverport reject-with icmp-port-unreachable
ACCEPT     tcp  --  103.19.0.0/24        anywhere            tcp dpt:mysql state NEW,ESTABLISHED
DROP       tcp  --  103.19.0.0/24        anywhere            tcp dpt:mysql state NEW,ESTABLISHED
DROP       tcp  --  103.19.0.0/24        anywhere            tcp dpt:mysql
ACCEPT     tcp  --  103.19.0.0/24        anywhere            tcp dpt:mysql
ACCEPT     tcp  --  103.19.0.0/24        anywhere            tcp dpt:mysql state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:mysql

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
  1. 我的 ‘198.211.37.xx’ 的 nmap 顯示如下:
PORT     STATE    SERVICE
1/tcp    filtered tcpmux
2/tcp    filtered compressnet
3/tcp    filtered compressnet
4/tcp    filtered unknown
5/tcp    filtered rje
6/tcp    filtered unknown
7/tcp    filtered echo
8/tcp    filtered unknown
9/tcp    filtered discard
10/tcp   filtered unknown
11/tcp   filtered systat
12/tcp   filtered unknown
13/tcp   filtered daytime
14/tcp   filtered unknown
15/tcp   filtered netstat
16/tcp   filtered unknown
17/tcp   filtered qotd
18/tcp   filtered msp
19/tcp   filtered chargen
21/tcp   open     ftp
22/tcp   filtered ssh
25/tcp   open     smtp
26/tcp   open     unknown
53/tcp   open     domain
80/tcp   open     http
110/tcp  open     pop3
143/tcp  open     imap
443/tcp  open     https
465/tcp  open     smtps
587/tcp  open     submission
993/tcp  open     imaps
995/tcp  open     pop3s
3306/tcp open     mysql
8080/tcp open     http-proxy

在完成所有這些之後,我仍然可以Can't connect to MySQL server on '198.211.37.xx'進入我的應用程序。

我非常需要關於這個問題的專家建議。

我會親自剝離您的所有 iptables 配置並重新開始,使用此文件作為參考。

作為良好的實踐,我將執行“預設拒絕”規則,並明確允許您要執行的服務的連接(例如,分別用於 SSH 和 MySQL 的埠 22 和 3306)。根據本指南(請記住,您的系統可能需要更改命令):

首先,刷新所有現有規則:

iptables -F
iptables -X

INPUT然後,為,OUTPUT和鏈添加預設策略FORWARD,並允許環回連接 - 請注意,預設情況下這將允許所有出站訪問:

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo -j ACCEPT

允許 SSH(替換<SERVER_IP>為您伺服器的公共 IP):

iptables -A INPUT -p tcp -s 0.0.0.0/0 -d <SERVER_IP> --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

允許 MySQL(替換<OTHER_SERVER_IP>為您想要將 MySQL 訪問列入白名單的 IP 地址 - 我強烈建議您這樣做以避免您的 MySQL 埠對世界可見)。您可以對要公開訪問的所有埠重複以下操作:

iptables -A INPUT -p tcp -s <OTHER_SERVER_IP> -d <SERVER_IP> --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT

最後,丟棄所有其他入站流量:

iptables -A INPUT -j DROP

引用自:https://serverfault.com/questions/685868