我正在尝试让我的 mySQL 服务器(在 Ubuntu 上运行)监听端口 3306和110,因为我想从开放端口很少的网络访问它。
到目前为止我发现这个答案告诉我去做
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 110 -j REDIRECT --to-port 3306
但我得到的是:
# mysql -h mydomain.com -P 3306 -u username --password=xyz
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 68863
Server version: 5.0.75-0ubuntu10.5 (Ubuntu)
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> exit
Bye
# mysql -h mydomain.com -P 110 -u username --password=xyz
ERROR 2003 (HY000): Can't connect to MySQL server on 'mydomain.com' (111)
我不是 iptables 专家,所以我不知道在哪里可以找到问题。我在 Google 上搜索了很长时间,但还没有找到任何可以帮助我的东西。
这是 iptable 告诉我的:
# iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 32M packets, 1674M bytes)
pkts bytes target prot opt in out source destination
0 0 REDIRECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 redir ports 3306
Chain POSTROUTING (policy ACCEPT 855K packets, 55M bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 837K packets, 54M bytes)
pkts bytes target prot opt in out source destination
# iptables -L -n -v
Chain INPUT (policy DROP 7 packets, 340 bytes)
pkts bytes target prot opt in out source destination
107K 5390K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID limit: avg 2/sec burst 5 LOG flags 0 level 4 prefix `INPUT INVALID '
131K 6614K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 MY_DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
0 0 MY_DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
0 0 MY_DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
0 0 MY_DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x05/0x05
0 0 MY_DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x01
0 0 MY_DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x18/0x08
0 0 MY_DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x30/0x20
6948K 12G ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
151M 34G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
32M 1666M ACCEPT tcp -- venet0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
1833 106K ACCEPT tcp -- venet0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
603 29392 ACCEPT tcp -- venet0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25
1 60 ACCEPT tcp -- venet0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:465
24 1180 ACCEPT tcp -- venet0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:110
1 60 ACCEPT tcp -- venet0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:995
7919 400K ACCEPT tcp -- venet0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:143
1 60 ACCEPT tcp -- venet0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:993
0 0 ACCEPT tcp -- venet0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:119
1 60 ACCEPT tcp -- venet0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53
7 517 ACCEPT udp -- venet0 * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
1110 65364 ACCEPT tcp -- venet0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21
139K 8313K ACCEPT tcp -- venet0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
10176 499K ACCEPT tcp -- venet0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3306
2 80 ACCEPT udp -- venet0 * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:123
0 0 ACCEPT tcp -- venet0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:6060
4 176 ACCEPT tcp -- venet0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:6667
20987 1179K MY_REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2159 284K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID limit: avg 2/sec burst 5 LOG flags 0 level 4 prefix `OUTPUT INVALID '
2630 304K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
6948K 12G ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
181M 34G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
0 0 MY_REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain MY_DROP (7 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 2/sec burst 5 LOG flags 0 level 4 prefix `PORTSCAN DROP '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain MY_REJECT (2 references)
pkts bytes target prot opt in out source destination
13806 652K LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 2/sec burst 5 LOG flags 0 level 4 prefix `REJECT TCP '
18171 830K REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
912 242K LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 2/sec burst 5 LOG flags 0 level 4 prefix `REJECT UDP '
912 242K REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
1904 107K LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 2/sec burst 5 LOG flags 0 level 4 prefix `DROP ICMP '
1904 107K DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 2/sec burst 5 LOG flags 0 level 4 prefix `REJECT OTHER '
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-proto-unreachable
有谁可以提示一下哪里可以找到问题吗?
谢谢你!
答案1
服务器 mydomain.com 仅接受来自接口 的端口 110 上的入站 TCP 连接venet0。由于您的 iptables NAT 规则仅适用于来自接口 的流量eth0,因此可以:
- 流量从接口进入
venet0,而你为 NAT 规则选择了错误的接口,或者 - 流量从接口进入
eth0,因此永远不会到达 NAT 规则,因为 iptables 阻止了它。
如果您可以告诉我们有关 mydomain.com 上的界面设置的更多信息(ifconfig -a也许),那么应该可以说出其中哪一个是正确的。