我有两个Centos VM。
IP地址如下:
Apache和PHP在VM_1中,而MySQL在VM_2中。 两者都有iptables规则。 VM_2正常工作正常。 现在我正在从VM_1进行testing。
首先,我禁用 VM_1 iptables并连接到VM_2 MySQL(连接成功)。
[root@foster ~]# service iptables stop iptables: Applying firewall rules: [ OK ] [root@foster ~]# mysql -h 10.99.0.12 -u root -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 16 Server version: 5.6.21 MySQL Community Server (GPL) ... 其次,我启用了 VM_1 iptables并连接到VM_2 MySQL(它从不在几个小时内响应)。
[root@foster ~]# service iptables start iptables: Applying firewall rules: [ OK ] [root@foster ~]# mysql -h 10.99.0.12 -u root -p Enter password:
我的iptables规则有什么问题? 这是我的iptables规则:
[root@foster ~]# iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp echo-reply ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT udp -- anywhere anywhere udp spt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state N EW,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:https state NEW,ESTABLISHED ACCEPT tcp -- 10.99.0.12 anywhere tcp dpt:mysql state NEW,ESTABLISHED ACCEPT tcp -- localhost anywhere tcp dpt:mysql state NEW,ESTABLISHED LOGGING all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT icmp -- anywhere anywhere icmp echo-reply ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp spt:ssh state E STABLISHED ACCEPT tcp -- anywhere anywhere tcp spt:http state ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spt:https state ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spt:mysql state ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spt:mysql state ESTABLISHED Chain LOGGING (1 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 2/min bu rst 5 LOG level debug prefix `IPTables Dropped -:- ' DROP all -- anywhere anywhere
问题是你不允许build立新的连接到MySQL,你倒了sport和dport:
Chain INPUT (policy DROP) ... ACCEPT tcp -- 10.99.0.12 anywhere tcp dpt:mysql state NEW,ESTABLISHED ACCEPT tcp -- localhost anywhere tcp dpt:mysql state NEW,ESTABLISHED ... Chain OUTPUT (policy DROP) ... ACCEPT tcp -- anywhere anywhere tcp spt:mysql state ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spt:mysql state ESTABLISHED ...
正确的iptables -L输出应该是:
Chain INPUT (policy DROP) ... ACCEPT tcp -- 10.99.0.12 anywhere tcp spt:mysql state ESTABLISHED ACCEPT tcp -- localhost anywhere tcp spt:mysql state ESTABLISHED ... Chain OUTPUT (policy DROP) ... ACCEPT tcp -- anywhere anywhere tcp dpt:mysql state NEW,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:mysql state NEW,ESTABLISHED ...