我的餐桌规则:
sudo iptables -L --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT tcp -- anywhere anywhere tcp dpt:http
2 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
3 ACCEPT icmp -- anywhere anywhere
4 ACCEPT all -- anywhere anywhere
5 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
6 ACCEPT tcp -- anywhere anywhere tcp dpt:mysql
7 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
附加信息
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1083K 263M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
3942M 4886G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
734 42672 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
864 62326 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
138 8568 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306
151 20254 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 778 packets, 161K bytes)
pkts bytes target prot opt in out source destination
通过从输入链中删除规则 7,我能够远程访问服务器。我的理解是,规则 7 之前的任何规则都不会受到它的影响,因此对于 MySQL 连接,规则 6 应该取代它。
我是否应该添加/修改任何其他规则?
答案1
您的 iptables 规则允许传入到端口 3306 的连接,但仅限于 eth0 接口。您可能正在尝试从其他接口进行连接。
要解决此问题,请将规则替换为允许所需流量的规则。例如,允许来自所有接口的流量:
iptables -R INPUT 6 -m state --state NEW -p tcp --dport 3306 -j ACCEPT