想要远程访问 MYSQL 数据库,但是当检查 yougetsignal(dot) com 时,我收到一条消息,提示端口 3306 已关闭。
配置:全新服务器(安装了 Zpanel 的 Centos 6.4 64 位)
已采取的措施:
从 my.cnf 中删除绑定地址
尝试添加绑定地址作为服务器 IP
已编辑IPTABLES以保持端口开放。
从路由器转发端口
在 /etc/my.cnf 中添加 port=3306
已停止 IPTABLES
每次更改后都要重新启动 mysqld
更改后重新启动 IPTABLES
到现在为止什么都没有起作用。
IP 表:
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
诊断结果:netstat 结果:
# netstat -na | grep 3306
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN
netstat 结果(netstat -lnp | grep mysql)
# netstat -lnp | grep mysql
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 6684/mysqld
unix 2 [ ACC ] STREAM LISTENING 33101 6684/mysqld /var/lib/mysql/mysql.sock
iptables -L 结果:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:mysql
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
可以通过本地主机/SSH 连接在服务器上运行 nc,但不能通过远程系统运行
答案1
流量可能正在被过滤。
因为您提供了您的域名(这里假设,尽管有两个具有两个不同地址的 A 记录141.101.117.86
是准确的..
跟踪路由到端口 80,我们可以证明该端口是开放的。
$ sudo traceroute -T -O info 141.101.117.86 -p 80
traceroute to 141.101.117.86 (141.101.117.86), 30 hops max, 60 byte packets
1 192.168.1.1 (192.168.1.1) 0.332 ms 0.460 ms 0.574 ms
2 host-92-25-242-1.as13285.net (92.25.242.1) 13.745 ms 13.807 ms 13.902 ms
3 host-78-151-225-189.static.as13285.net (78.151.225.189) 15.058 ms 15.086 ms 15.118 ms
4 host-78-151-225-196.static.as13285.net (78.151.225.196) 16.120 ms host-78-151-225-232.static.as13285.net (78.151.225.232) 15.748 ms host-78-151-225-184.static.as13285.net (78.151.225.184) 16.069 ms
5 host-78-144-11-115.as13285.net (78.144.11.115) 16.630 ms 16.579 ms host-78-144-11-109.as13285.net (78.144.11.109) 16.798 ms
6 195.66.225.179 (195.66.225.179) 16.728 ms 14.735 ms 14.707 ms
7 141.101.117.86 (141.101.117.86) <syn,ack> 14.713 ms 14.907 ms 14.887 ms
如果我们尝试 3306...
$ sudo traceroute -T -O info 141.101.117.86 -p 3306
traceroute to 141.101.117.86 (141.101.117.86), 30 hops max, 60 byte packets
1 192.168.1.1 (192.168.1.1) 0.343 ms 0.444 ms 0.624 ms
2 host-92-25-242-1.as13285.net (92.25.242.1) 13.225 ms 13.226 ms 13.233 ms
3 host-78-151-225-189.static.as13285.net (78.151.225.189) 14.736 ms 15.352 ms 15.347 ms
4 host-78-151-225-220.static.as13285.net (78.151.225.220) 15.492 ms host-78-151-228-37.as13285.net (78.151.228.37) 15.441 ms host-78-151-225-232.static.as13285.net (78.151.225.232) 15.350 ms
5 host-78-144-11-95.as13285.net (78.144.11.95) 16.140 ms host-78-144-11-119.as13285.net (78.144.11.119) 16.551 ms host-78-144-11-95.as13285.net (78.144.11.95) 16.463 ms
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
...
流量在此主机处停止:195.66.225.179
这可能是一个防火墙,正在阻止流量。
答案2
因此,这里给出的真实 IP 地址是跟踪路由;笔记路线似乎经常变化,但这两个示例似乎采用了类似的路径。
端口 80
traceroute to 103.231.8.238 (103.231.8.238), 30 hops max, 60 byte packets
1 192.168.1.1 0.290 ms 0.435 ms 0.520 ms
2 92.25.242.1 13.350 ms 13.348 ms 13.343 ms
3 78.151.225.189 15.084 ms 15.086 ms 15.099 ms
4 78.151.225.200 15.236 ms 15.873 ms 78.151.225.184 15.907 ms
5 78.144.11.123 16.353 ms 78.144.11.121 16.227 ms 78.144.11.135 16.243 ms
6 195.66.224.209 18.715 ms 78.144.11.2 16.502 ms 78.144.10.252 16.443 ms
7 206.126.236.88 96.076 ms 93.854 ms 145.253.33.238 14.138 ms
8 182.19.105.75 132.438 ms 182.19.105.73 131.902 ms 131.863 ms
9 * * *
10 103.1.112.13 140.948 ms 182.19.115.224 278.477 ms 278.436 ms
11 103.13.96.170 154.360 ms 153.584 ms 182.19.115.226 275.564 ms
12 103.241.180.132 137.192 ms 138.187 ms 182.19.115.100 276.826 ms
13 103.231.8.238 138.987 ms 138.867 ms 140.010 ms
以及端口 3306:
1 192.168.1.1 0.380 ms 0.468 ms 0.574 ms
2 92.25.242.1 13.358 ms 13.366 ms 13.399 ms
3 78.151.225.189 14.904 ms 14.904 ms 14.931 ms
4 78.151.225.156 15.081 ms 15.676 ms 78.151.225.188 32.598 ms
5 78.144.11.111 16.741 ms 78.144.11.119 19.341 ms 78.144.11.125 16.725 ms
6 78.144.11.6 16.818 ms 78.144.10.254 17.168 ms 78.144.11.6 17.104 ms
7 206.126.236.88 96.258 ms 145.253.33.238 14.267 ms 206.126.236.88 94.096 ms
8 63.218.162.165 344.874 ms 182.19.105.75 132.858 ms 63.218.162.165 344.861 ms
9 63.218.163.170 284.351 ms 123.63.182.125 138.510 ms 63.218.163.170 283.633 ms
10 103.1.112.13 138.879 ms 140.004 ms 182.19.115.224 277.669 ms
11 103.13.96.170 154.360 ms 182.19.107.1 275.934 ms 103.13.96.170 152.461 ms
12 103.241.180.132 136.943 ms 138.046 ms 182.19.115.100 275.782 ms
13 182.19.105.75 274.382 ms 274.097 ms *
14 123.63.182.125 280.577 ms * 281.215 ms
15 * 103.1.112.13 281.433 ms *
16 103.13.96.170 297.287 ms * 296.211 ms
17 * * *
18 * * *
19 * * *
...
感兴趣的是第 12 到第 13 跳。在端口 80 示例中,第 13 跳是您的服务器。在端口 3306 上,第 13 跳是 182.19.105.75 地址,在其他跟踪路由中,这也显示为从目的地到倒数第二跳。我假设发生了一些 DNAT,将流量从此网络重定向回不同的目的地,但无法从输出中判断此目的地可能是什么。
一些跟踪路由显示出一些循环的迹象,例如这个......
8 182.19.105.75 148.637 ms 133.271 ms 63.218.162.165 345.590 ms
9 * * 123.63.182.125 137.830 ms
10 103.1.112.13 140.637 ms * 140.108 ms
11 182.19.107.1 275.851 ms 103.13.96.170 153.820 ms 182.19.107.1 275.465 ms
12 103.241.180.132 136.681 ms 182.19.115.100 275.113 ms 103.241.180.132 136.907 ms
13 182.19.105.75 274.357 ms 274.330 ms 274.211 ms
14 123.63.182.125 282.631 ms 282.339 ms *
15 * 103.1.112.13 283.497 ms 282.053 ms
16 * * 103.13.96.170 298.444 ms
17 103.241.180.132 279.360 ms * *
然而我最终从未收到过 TTL 超出消息。
检查您在路由器和端口转发中设置的内容,似乎有些配置不正确。