我有两个 Centos VM。
IP地址如下:
- VM_1 =>10.99.0.10
- VM_2 =>10.99.0.12
Apache 和 PHP 在 VM_1 中,MySQL 在 VM_2 中。两者都有 iptables 规则。VM_2 规则运行良好。现在我正在从 VM_1 进行测试。
首先,我已禁用VM_1 iptables 并连接到 VM_2 MySQL(连接成功)。
[root@foster ~]# service iptables stop
iptables: Applying firewall rules: [ OK ]
[root@foster ~]# mysql -h 10.99.0.12 -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 16
Server version: 5.6.21 MySQL Community Server (GPL)
...
第二节已启用VM_1 iptables 并连接到 VM_2 MySQL(它在几个小时内也没有响应)。
[root@foster ~]# service iptables start
iptables: Applying firewall rules: [ OK ]
[root@foster ~]# mysql -h 10.99.0.12 -u root -p
Enter password:
我的 iptables 规则有什么问题?这里我的 iptables 规则是:
[root@foster ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT udp -- anywhere anywhere udp spt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state N EW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:https state NEW,ESTABLISHED
ACCEPT tcp -- 10.99.0.12 anywhere tcp dpt:mysql state NEW,ESTABLISHED
ACCEPT tcp -- localhost anywhere tcp dpt:mysql state NEW,ESTABLISHED
LOGGING all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp spt:ssh state E STABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:http state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:https state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:mysql state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:mysql state ESTABLISHED
Chain LOGGING (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 2/min bu rst 5 LOG level debug prefix `IPTables Dropped -:- '
DROP all -- anywhere anywhere
答案1
问题是您不允许与 MySQL 建立新的连接,并且您颠倒了 sport 和 dport :
Chain INPUT (policy DROP)
...
ACCEPT tcp -- 10.99.0.12 anywhere tcp dpt:mysql state NEW,ESTABLISHED
ACCEPT tcp -- localhost anywhere tcp dpt:mysql state NEW,ESTABLISHED
...
Chain OUTPUT (policy DROP)
...
ACCEPT tcp -- anywhere anywhere tcp spt:mysql state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:mysql state ESTABLISHED
...
正确的iptables -L输出应为:
Chain INPUT (policy DROP)
...
ACCEPT tcp -- 10.99.0.12 anywhere tcp spt:mysql state ESTABLISHED
ACCEPT tcp -- localhost anywhere tcp spt:mysql state ESTABLISHED
...
Chain OUTPUT (policy DROP)
...
ACCEPT tcp -- anywhere anywhere tcp dpt:mysql state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:mysql state NEW,ESTABLISHED
...