[mythtv-users] Iptables prevent remote database connection
Andrew Robinson
awrobinson-ml at nc.rr.com
Sun Apr 8 01:23:05 UTC 2007
Robin Hill wrote:
> On Thu Apr 05, 2007 at 09:46:47PM -0400, Andrew Robinson wrote:
>
>> This is similar to a problem discussed in the last couple of days but
>> with a seemingly different twist. When I have iptables running on the
>> backend server, I cannot connect to the mythconverg database from a
>> remote host. When I stop iptables, I can connect. I think I have opened
>> the required ports. Can anyone tell me what I am doing wrong?
>>
>> And here is the output of 'service iptables status':
>>
>> [root at muses ~]$ service iptables status
>>
>> Table: filter
>> Chain INPUT (policy ACCEPT)
>> num target prot opt source destination
>> 1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
>>
>> Chain FORWARD (policy ACCEPT)
>> num target prot opt source destination
>> 1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
>>
>> Chain OUTPUT (policy ACCEPT)
>> num target prot opt source destination
>>
>> Chain RH-Firewall-1-INPUT (2 references)
>> num target prot opt source destination
>> 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
>> 2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
>> 3 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
>> 4 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
>> 5 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353
>> 6 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
>> RELATED,ESTABLISHED
>> 7 ACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0 state NEW tcp dpt:22
>> 8 ACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0 state NEW tcp dpt:80
>> 9 ACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0 state NEW tcp dpt:443
>> 10 ACCEPT udp -- 192.168.1.0/24 0.0.0.0/0 udp dpt:631
>> 11 ACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0 tcp dpt:631
>> 12 ACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0 tcp dpt:111
>> 13 ACCEPT udp -- 192.168.1.0/24 0.0.0.0/0 udp dpt:111
>> 14 ACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0 tcp dpt:113
>> 15 ACCEPT udp -- 192.168.1.0/24 0.0.0.0/0 udp dpt:113
>> 16 ACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0 tcp dpt:2049
>> 17 ACCEPT udp -- 192.168.1.0/24 0.0.0.0/0 udp dpt:2049
>> 18 ACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0 tcp dpts:4000:4003
>> 19 ACCEPT udp -- 192.168.1.0/24 0.0.0.0/0 udp dpts:4000:4003
>> 20 ACCEPT udp -- 192.168.1.0/24 0.0.0.0/0 udp dpts:137:138
>> 1 ACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0 tcp dpt:139
>> 22 ACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0 tcp dpt:445
>> 23 ACCEPT udp -- 192.168.1.0/24 0.0.0.0/0 udp dpt:445
>> 24 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with
>> icmp-host-prohibited
>> 25 ACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0 tcp dpt:3306
>> 26 ACCEPT udp -- 192.168.1.0/24 0.0.0.0/0 udp dpt:3306
>> 27 ACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0 tcp dpt:6543
>> 28 ACCEPT udp -- 192.168.1.0/24 0.0.0.0/0 udp dpt:6543
>> 29 ACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0 tcp dpt:6544
>> 30 ACCEPT udp -- 192.168.1.0/24 0.0.0.0/0 udp dpt:6544
>> 1 ACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0 tcp dpt:6546
>> 32 ACCEPT udp -- 192.168.1.0/24 0.0.0.0/0 udp dpt:6546
>> 33 ACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0 tcp dpt:1009
>> 34 ACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0 tcp dpt:7288
>> 35 ACCEPT udp -- 192.168.1.0/24 0.0.0.0/0 udp dpt:5353
>> 36 ACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0 tcp dpt:1527
>> 37 ACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0 tcp dpt:2190
>> 38 ACCEPT udp -- 192.168.1.0/24 0.0.0.0/0 udp dpt:2190
>> 39 ACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0 tcp dpt:8081
>>
> The ordering of your iptables rules is wrong - they're applied in order,
> so everything after rule 24 (which will reject any traffic) will never
> be reached.
>
> Are these rules are defined in a file somewhere? If so it should just
> be a matter of reordering them, making sure the reject rule is last.
>
Bingo! That resolved my problem. Thank you very much!
Andrew
More information about the mythtv-users
mailing list