过去几天我尝试解决了很多问题Can't connect to MySQL server
。我想描述一下我到目前为止所做的一切。
- 创建一个 mysql 用户并授予所有权限。
- 在 中绑定 0.0.0.0
/etc/my.cnf
。 像下面这样更改 IP 表:
Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 127.0.0.0/8 anywhere Admin tcp -- anywhere anywhere tcp dpt:caiccipc REJECT tcp -- anywhere anywhere tcp dpt:mysql reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere tcp dpt:caiccipc reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere tcp dpt:ssslic-mgr reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere tcp dpt:h323hostcallsc reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere tcp dpt:cadkey-tablet reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere tcp dpt:ufastro-instr reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere tcp dpt:5062 reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere tcp dpt:ca-2 reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere tcp dpt:5070 reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere tcp dpt:6060 reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere tcp dpt:8005 reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere tcp dpt:8009 reject-with icmp-port-unreachable REJECT udp -- anywhere anywhere udp dpt:itelserverport reject-with icmp-port-unreachable ACCEPT tcp -- 103.19.0.0/24 anywhere tcp dpt:mysql state NEW,ESTABLISHED DROP tcp -- 103.19.0.0/24 anywhere tcp dpt:mysql state NEW,ESTABLISHED DROP tcp -- 103.19.0.0/24 anywhere tcp dpt:mysql ACCEPT tcp -- 103.19.0.0/24 anywhere tcp dpt:mysql ACCEPT tcp -- 103.19.0.0/24 anywhere tcp dpt:mysql state NEW,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:mysql Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
我对‘198.211.37.xx’的 nmap 显示以下内容:
PORT STATE SERVICE 1/tcp filtered tcpmux 2/tcp filtered compressnet 3/tcp filtered compressnet 4/tcp filtered unknown 5/tcp filtered rje 6/tcp filtered unknown 7/tcp filtered echo 8/tcp filtered unknown 9/tcp filtered discard 10/tcp filtered unknown 11/tcp filtered systat 12/tcp filtered unknown 13/tcp filtered daytime 14/tcp filtered unknown 15/tcp filtered netstat 16/tcp filtered unknown 17/tcp filtered qotd 18/tcp filtered msp 19/tcp filtered chargen 21/tcp open ftp 22/tcp filtered ssh 25/tcp open smtp 26/tcp open unknown 53/tcp open domain 80/tcp open http 110/tcp open pop3 143/tcp open imap 443/tcp open https 465/tcp open smtps 587/tcp open submission 993/tcp open imaps 995/tcp open pop3s 3306/tcp open mysql 8080/tcp open http-proxy
完成所有这些之后,我仍然可以Can't connect to MySQL server on '198.211.37.xx'
提交我的申请。
我非常需要专家就这个问题提出建议。
答案1
我个人会删除所有 iptables 配置,然后重新开始,使用本文档以供参考。
为了获得良好的实践,我会运行“默认拒绝”规则,并明确允许要运行的服务的连接(例如,分别用于 SSH 和 MySQL 的端口 22 和 3306)。根据本指南(请记住,这些命令可能需要根据您的系统进行修改):
首先,清除所有现有规则:
iptables -F
iptables -X
然后,为INPUT
、OUTPUT
和FORWARD
链添加默认策略,并允许环回连接 - 请注意,这将默认允许所有出站访问:
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo -j ACCEPT
允许 SSH(替换<SERVER_IP>
为您服务器的公共 IP):
iptables -A INPUT -p tcp -s 0.0.0.0/0 -d <SERVER_IP> --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
允许 MySQL(替换<OTHER_SERVER_IP>
为您想要列入白名单的 MySQL 访问的 IP 地址 - 我强烈建议您这样做以避免您的 MySQL 端口被全世界看到)。您可以对所有想要公开访问的端口重复以下步骤:
iptables -A INPUT -p tcp -s <OTHER_SERVER_IP> -d <SERVER_IP> --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
最后,丢弃所有其他入站流量:
iptables -A INPUT -j DROP