[mythtv-users] Iptables prevent remote database connection
Robin Hill
myth at robinhill.me.uk
Fri Apr 6 09:56:01 UTC 2007
On Thu Apr 05, 2007 at 09:46:47PM -0400, Andrew Robinson wrote:
> This is similar to a problem discussed in the last couple of days but
> with a seemingly different twist. When I have iptables running on the
> backend server, I cannot connect to the mythconverg database from a
> remote host. When I stop iptables, I can connect. I think I have opened
> the required ports. Can anyone tell me what I am doing wrong?
>
> And here is the output of 'service iptables status':
>
> [root at muses ~]$ service iptables status
>
> Table: filter
> Chain INPUT (policy ACCEPT)
> num target prot opt source destination
> 1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain FORWARD (policy ACCEPT)
> num target prot opt source destination
> 1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain OUTPUT (policy ACCEPT)
> num target prot opt source destination
>
> Chain RH-Firewall-1-INPUT (2 references)
> num target prot opt source destination
> 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> 2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
> 3 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
> 4 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
> 5 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353
> 6 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED
> 7 ACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0 state NEW tcp dpt:22
> 8 ACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0 state NEW tcp dpt:80
> 9 ACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0 state NEW tcp dpt:443
> 10 ACCEPT udp -- 192.168.1.0/24 0.0.0.0/0 udp dpt:631
> 11 ACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0 tcp dpt:631
> 12 ACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0 tcp dpt:111
> 13 ACCEPT udp -- 192.168.1.0/24 0.0.0.0/0 udp dpt:111
> 14 ACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0 tcp dpt:113
> 15 ACCEPT udp -- 192.168.1.0/24 0.0.0.0/0 udp dpt:113
> 16 ACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0 tcp dpt:2049
> 17 ACCEPT udp -- 192.168.1.0/24 0.0.0.0/0 udp dpt:2049
> 18 ACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0 tcp dpts:4000:4003
> 19 ACCEPT udp -- 192.168.1.0/24 0.0.0.0/0 udp dpts:4000:4003
> 20 ACCEPT udp -- 192.168.1.0/24 0.0.0.0/0 udp dpts:137:138
> 1 ACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0 tcp dpt:139
> 22 ACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0 tcp dpt:445
> 23 ACCEPT udp -- 192.168.1.0/24 0.0.0.0/0 udp dpt:445
> 24 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with
> icmp-host-prohibited
> 25 ACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0 tcp dpt:3306
> 26 ACCEPT udp -- 192.168.1.0/24 0.0.0.0/0 udp dpt:3306
> 27 ACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0 tcp dpt:6543
> 28 ACCEPT udp -- 192.168.1.0/24 0.0.0.0/0 udp dpt:6543
> 29 ACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0 tcp dpt:6544
> 30 ACCEPT udp -- 192.168.1.0/24 0.0.0.0/0 udp dpt:6544
> 1 ACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0 tcp dpt:6546
> 32 ACCEPT udp -- 192.168.1.0/24 0.0.0.0/0 udp dpt:6546
> 33 ACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0 tcp dpt:1009
> 34 ACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0 tcp dpt:7288
> 35 ACCEPT udp -- 192.168.1.0/24 0.0.0.0/0 udp dpt:5353
> 36 ACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0 tcp dpt:1527
> 37 ACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0 tcp dpt:2190
> 38 ACCEPT udp -- 192.168.1.0/24 0.0.0.0/0 udp dpt:2190
> 39 ACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0 tcp dpt:8081
>
The ordering of your iptables rules is wrong - they're applied in order,
so everything after rule 24 (which will reject any traffic) will never
be reached.
Are these rules are defined in a file somewhere? If so it should just
be a matter of reordering them, making sure the reject rule is last.
HTH,
Robin
--
___
( ' } | Robin Hill <myth at robinhill.me.uk> |
/ / ) | Little Jim says .... |
// !! | "He fallen in de water !!" |
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url : http://mythtv.org/pipermail/mythtv-users/attachments/20070406/54f99959/attachment.pgp
More information about the mythtv-users
mailing list