无法连接到‘198.211.37.xx’上的 MySQL 服务器

无法连接到‘198.211.37.xx’上的 MySQL 服务器

过去几天我尝试解决了很多问题Can't connect to MySQL server。我想描述一下我到目前为止所做的一切。

  1. 创建一个 mysql 用户并授予所有权限。
  2. 在 中绑定 0.0.0.0 /etc/my.cnf
  3. 像下面这样更改 IP 表:

    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination
    ACCEPT     tcp  --  127.0.0.0/8          anywhere
    Admin      tcp  --  anywhere             anywhere            tcp dpt:caiccipc
    REJECT     tcp  --  anywhere             anywhere            tcp dpt:mysql reject-with icmp-port-unreachable
    REJECT     tcp  --  anywhere             anywhere            tcp dpt:caiccipc reject-with icmp-port-unreachable
    REJECT     tcp  --  anywhere             anywhere            tcp dpt:ssslic-mgr reject-with icmp-port-unreachable
    REJECT     tcp  --  anywhere             anywhere            tcp dpt:h323hostcallsc reject-with icmp-port-unreachable
    REJECT     tcp  --  anywhere             anywhere            tcp dpt:cadkey-tablet reject-with icmp-port-unreachable
    REJECT     tcp  --  anywhere             anywhere            tcp dpt:ufastro-instr reject-with icmp-port-unreachable
    REJECT     tcp  --  anywhere             anywhere            tcp dpt:5062 reject-with icmp-port-unreachable
    REJECT     tcp  --  anywhere             anywhere            tcp dpt:ca-2 reject-with icmp-port-unreachable
    REJECT     tcp  --  anywhere             anywhere            tcp dpt:5070 reject-with icmp-port-unreachable
    REJECT     tcp  --  anywhere             anywhere            tcp dpt:6060 reject-with icmp-port-unreachable
    REJECT     tcp  --  anywhere             anywhere            tcp dpt:8005 reject-with icmp-port-unreachable
    REJECT     tcp  --  anywhere             anywhere            tcp dpt:8009 reject-with icmp-port-unreachable
    REJECT     udp  --  anywhere             anywhere            udp dpt:itelserverport reject-with icmp-port-unreachable
    ACCEPT     tcp  --  103.19.0.0/24        anywhere            tcp dpt:mysql state NEW,ESTABLISHED
    DROP       tcp  --  103.19.0.0/24        anywhere            tcp dpt:mysql state NEW,ESTABLISHED
    DROP       tcp  --  103.19.0.0/24        anywhere            tcp dpt:mysql
    ACCEPT     tcp  --  103.19.0.0/24        anywhere            tcp dpt:mysql
    ACCEPT     tcp  --  103.19.0.0/24        anywhere            tcp dpt:mysql state NEW,ESTABLISHED
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:mysql
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    
  4. 我对‘198.211.37.xx’的 nmap 显示以下内容:

    PORT     STATE    SERVICE
    1/tcp    filtered tcpmux
    2/tcp    filtered compressnet
    3/tcp    filtered compressnet
    4/tcp    filtered unknown
    5/tcp    filtered rje
    6/tcp    filtered unknown
    7/tcp    filtered echo
    8/tcp    filtered unknown
    9/tcp    filtered discard
    10/tcp   filtered unknown
    11/tcp   filtered systat
    12/tcp   filtered unknown
    13/tcp   filtered daytime
    14/tcp   filtered unknown
    15/tcp   filtered netstat
    16/tcp   filtered unknown
    17/tcp   filtered qotd
    18/tcp   filtered msp
    19/tcp   filtered chargen
    21/tcp   open     ftp
    22/tcp   filtered ssh
    25/tcp   open     smtp
    26/tcp   open     unknown
    53/tcp   open     domain
    80/tcp   open     http
    110/tcp  open     pop3
    143/tcp  open     imap
    443/tcp  open     https
    465/tcp  open     smtps
    587/tcp  open     submission
    993/tcp  open     imaps
    995/tcp  open     pop3s
    3306/tcp open     mysql
    8080/tcp open     http-proxy
    

完成所有这些之后,我仍然可以Can't connect to MySQL server on '198.211.37.xx'提交我的申请。

我非常需要专家就这个问题提出建议。

答案1

我个人会删除所有 iptables 配置,然后重新开始,使用本文档以供参考。

为了获得良好的实践,我会运行“默认拒绝”规则,并明确允许要运行的服务的连接(例如,分别用于 SSH 和 MySQL 的端口 22 和 3306)。根据本指南(请记住,这些命令可能需要根据您的系统进行修改):

首先,清除所有现有规则:

iptables -F
iptables -X

然后,为INPUTOUTPUTFORWARD链添加默认策略,并允许环回连接 - 请注意,这将默认允许所有出站访问:

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo -j ACCEPT

允许 SSH(替换<SERVER_IP>为您服务器的公共 IP):

iptables -A INPUT -p tcp -s 0.0.0.0/0 -d <SERVER_IP> --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

允许 MySQL(替换<OTHER_SERVER_IP>为您想要列入白名单的 MySQL 访问的 IP 地址 - 我强烈建议您这样做以避免您的 MySQL 端口被全世界看到)。您可以对所有想要公开访问的端口重复以下步骤:

iptables -A INPUT -p tcp -s <OTHER_SERVER_IP> -d <SERVER_IP> --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT

最后,丢弃所有其他入站流量:

iptables -A INPUT -j DROP

相关内容