IPTables 阻止远程连接到 MySQL

IPTables 阻止远程连接到 MySQL

我的餐桌规则:

sudo iptables -L --line-numbers

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http
2    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
3    ACCEPT     icmp --  anywhere             anywhere
4    ACCEPT     all  --  anywhere             anywhere
5    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
6    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:mysql
7    REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

附加信息

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
1083K  263M ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80
3942M 4886G ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
  734 42672 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
  864 62326 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
  138  8568 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:3306
  151 20254 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 778 packets, 161K bytes)
 pkts bytes target     prot opt in     out     source               destination

通过从输入链中删除规则 7,我能够远程访问服务器。我的理解是,规则 7 之前的任何规则都不会受到它的影响,因此对于 MySQL 连接,规则 6 应该取代它。

我是否应该添加/修改任何其他规则?

答案1

您的 iptables 规则允许传入到端口 3306 的连接,但仅限于 eth0 接口。您可能正在尝试从其他接口进行连接。

要解决此问题,请将规则替换为允许所需流量的规则。例如,允许来自所有接口的流量:

iptables -R INPUT 6 -m state --state NEW -p tcp --dport 3306 -j ACCEPT

相关内容