[mythtv-users] Iptables prevent remote database connection

Robin Hill myth at robinhill.me.uk
Fri Apr 6 09:56:01 UTC 2007


On Thu Apr 05, 2007 at 09:46:47PM -0400, Andrew Robinson wrote:

> This is similar to a problem discussed in the last couple of days but 
> with a seemingly different twist. When I have iptables running on the 
> backend server, I cannot connect to the mythconverg database from a 
> remote host. When I stop iptables, I can connect. I think I have opened 
> the required ports. Can anyone tell me what I am doing wrong?
> 
> And here is the output of 'service iptables status':
> 
> [root at muses ~]$ service iptables status
> 
> Table: filter
> Chain INPUT (policy ACCEPT)
> num  target     prot opt source               destination
> 1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0       0.0.0.0/0
> 
> Chain FORWARD (policy ACCEPT)
> num  target     prot opt source        destination
> 1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0       0.0.0.0/0
> 
> Chain OUTPUT (policy ACCEPT)
> num  target     prot opt source        destination
> 
> Chain RH-Firewall-1-INPUT (2 references)
> num  target   prot opt source          destination
> 1    ACCEPT   all  --  0.0.0.0/0       0.0.0.0/0
> 2    ACCEPT   icmp --  0.0.0.0/0       0.0.0.0/0   icmp type 255
> 3    ACCEPT   esp  --  0.0.0.0/0       0.0.0.0/0
> 4    ACCEPT   ah   --  0.0.0.0/0       0.0.0.0/0
> 5    ACCEPT   udp  --  0.0.0.0/0       224.0.0.251 udp dpt:5353
> 6    ACCEPT   all  --  0.0.0.0/0       0.0.0.0/0   state 
> RELATED,ESTABLISHED
> 7    ACCEPT   tcp  --  192.168.1.0/24  0.0.0.0/0   state NEW tcp dpt:22
> 8    ACCEPT   tcp  --  192.168.1.0/24  0.0.0.0/0   state NEW tcp dpt:80
> 9    ACCEPT   tcp  --  192.168.1.0/24  0.0.0.0/0   state NEW tcp dpt:443
> 10   ACCEPT   udp  --  192.168.1.0/24  0.0.0.0/0   udp dpt:631
> 11   ACCEPT   tcp  --  192.168.1.0/24  0.0.0.0/0   tcp dpt:631
> 12   ACCEPT   tcp  --  192.168.1.0/24  0.0.0.0/0   tcp dpt:111
> 13   ACCEPT   udp  --  192.168.1.0/24  0.0.0.0/0   udp dpt:111
> 14   ACCEPT   tcp  --  192.168.1.0/24  0.0.0.0/0   tcp dpt:113
> 15   ACCEPT   udp  --  192.168.1.0/24  0.0.0.0/0   udp dpt:113
> 16   ACCEPT   tcp  --  192.168.1.0/24  0.0.0.0/0   tcp dpt:2049
> 17   ACCEPT   udp  --  192.168.1.0/24  0.0.0.0/0   udp dpt:2049
> 18   ACCEPT   tcp  --  192.168.1.0/24  0.0.0.0/0   tcp dpts:4000:4003
> 19   ACCEPT   udp  --  192.168.1.0/24  0.0.0.0/0   udp dpts:4000:4003
> 20   ACCEPT   udp  --  192.168.1.0/24  0.0.0.0/0   udp dpts:137:138
> 1    ACCEPT   tcp  --  192.168.1.0/24  0.0.0.0/0   tcp dpt:139
> 22   ACCEPT   tcp  --  192.168.1.0/24  0.0.0.0/0   tcp dpt:445
> 23   ACCEPT   udp  --  192.168.1.0/24  0.0.0.0/0   udp dpt:445
> 24   REJECT   all  --  0.0.0.0/0       0.0.0.0/0   reject-with 
> icmp-host-prohibited
> 25   ACCEPT   tcp  --  192.168.1.0/24  0.0.0.0/0   tcp dpt:3306
> 26   ACCEPT   udp  --  192.168.1.0/24  0.0.0.0/0   udp dpt:3306
> 27   ACCEPT   tcp  --  192.168.1.0/24  0.0.0.0/0   tcp dpt:6543
> 28   ACCEPT   udp  --  192.168.1.0/24  0.0.0.0/0   udp dpt:6543
> 29   ACCEPT   tcp  --  192.168.1.0/24  0.0.0.0/0   tcp dpt:6544
> 30   ACCEPT   udp  --  192.168.1.0/24  0.0.0.0/0   udp dpt:6544
> 1    ACCEPT   tcp  --  192.168.1.0/24  0.0.0.0/0   tcp dpt:6546
> 32   ACCEPT   udp  --  192.168.1.0/24  0.0.0.0/0   udp dpt:6546
> 33   ACCEPT   tcp  --  192.168.1.0/24  0.0.0.0/0   tcp dpt:1009
> 34   ACCEPT   tcp  --  192.168.1.0/24  0.0.0.0/0   tcp dpt:7288
> 35   ACCEPT   udp  --  192.168.1.0/24  0.0.0.0/0   udp dpt:5353
> 36   ACCEPT   tcp  --  192.168.1.0/24  0.0.0.0/0   tcp dpt:1527
> 37   ACCEPT   tcp  --  192.168.1.0/24  0.0.0.0/0   tcp dpt:2190
> 38   ACCEPT   udp  --  192.168.1.0/24  0.0.0.0/0   udp dpt:2190
> 39   ACCEPT   tcp  --  192.168.1.0/24  0.0.0.0/0   tcp dpt:8081
> 
The ordering of your iptables rules is wrong - they're applied in order,
so everything after rule 24 (which will reject any traffic) will never
be reached.

Are these rules are defined in a file somewhere?  If so it should just
be a matter of reordering them, making sure the reject rule is last.

HTH,
        Robin
-- 
     ___        
    ( ' }     |       Robin Hill        <myth at robinhill.me.uk>  |
   / / )      | Little Jim says ....                            |
  // !!       |      "He fallen in de water !!"                 |
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url : http://mythtv.org/pipermail/mythtv-users/attachments/20070406/54f99959/attachment.pgp 


More information about the mythtv-users mailing list