[mythtv-users] Iptables prevent remote database connection

Andrew Robinson awrobinson-ml at nc.rr.com
Sun Apr 8 01:23:05 UTC 2007


Robin Hill wrote:
> On Thu Apr 05, 2007 at 09:46:47PM -0400, Andrew Robinson wrote:
> 
>> This is similar to a problem discussed in the last couple of days but 
>> with a seemingly different twist. When I have iptables running on the 
>> backend server, I cannot connect to the mythconverg database from a 
>> remote host. When I stop iptables, I can connect. I think I have opened 
>> the required ports. Can anyone tell me what I am doing wrong?
>>
>> And here is the output of 'service iptables status':
>>
>> [root at muses ~]$ service iptables status
>>
>> Table: filter
>> Chain INPUT (policy ACCEPT)
>> num  target     prot opt source               destination
>> 1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0       0.0.0.0/0
>>
>> Chain FORWARD (policy ACCEPT)
>> num  target     prot opt source        destination
>> 1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0       0.0.0.0/0
>>
>> Chain OUTPUT (policy ACCEPT)
>> num  target     prot opt source        destination
>>
>> Chain RH-Firewall-1-INPUT (2 references)
>> num  target   prot opt source          destination
>> 1    ACCEPT   all  --  0.0.0.0/0       0.0.0.0/0
>> 2    ACCEPT   icmp --  0.0.0.0/0       0.0.0.0/0   icmp type 255
>> 3    ACCEPT   esp  --  0.0.0.0/0       0.0.0.0/0
>> 4    ACCEPT   ah   --  0.0.0.0/0       0.0.0.0/0
>> 5    ACCEPT   udp  --  0.0.0.0/0       224.0.0.251 udp dpt:5353
>> 6    ACCEPT   all  --  0.0.0.0/0       0.0.0.0/0   state 
>> RELATED,ESTABLISHED
>> 7    ACCEPT   tcp  --  192.168.1.0/24  0.0.0.0/0   state NEW tcp dpt:22
>> 8    ACCEPT   tcp  --  192.168.1.0/24  0.0.0.0/0   state NEW tcp dpt:80
>> 9    ACCEPT   tcp  --  192.168.1.0/24  0.0.0.0/0   state NEW tcp dpt:443
>> 10   ACCEPT   udp  --  192.168.1.0/24  0.0.0.0/0   udp dpt:631
>> 11   ACCEPT   tcp  --  192.168.1.0/24  0.0.0.0/0   tcp dpt:631
>> 12   ACCEPT   tcp  --  192.168.1.0/24  0.0.0.0/0   tcp dpt:111
>> 13   ACCEPT   udp  --  192.168.1.0/24  0.0.0.0/0   udp dpt:111
>> 14   ACCEPT   tcp  --  192.168.1.0/24  0.0.0.0/0   tcp dpt:113
>> 15   ACCEPT   udp  --  192.168.1.0/24  0.0.0.0/0   udp dpt:113
>> 16   ACCEPT   tcp  --  192.168.1.0/24  0.0.0.0/0   tcp dpt:2049
>> 17   ACCEPT   udp  --  192.168.1.0/24  0.0.0.0/0   udp dpt:2049
>> 18   ACCEPT   tcp  --  192.168.1.0/24  0.0.0.0/0   tcp dpts:4000:4003
>> 19   ACCEPT   udp  --  192.168.1.0/24  0.0.0.0/0   udp dpts:4000:4003
>> 20   ACCEPT   udp  --  192.168.1.0/24  0.0.0.0/0   udp dpts:137:138
>> 1    ACCEPT   tcp  --  192.168.1.0/24  0.0.0.0/0   tcp dpt:139
>> 22   ACCEPT   tcp  --  192.168.1.0/24  0.0.0.0/0   tcp dpt:445
>> 23   ACCEPT   udp  --  192.168.1.0/24  0.0.0.0/0   udp dpt:445
>> 24   REJECT   all  --  0.0.0.0/0       0.0.0.0/0   reject-with 
>> icmp-host-prohibited
>> 25   ACCEPT   tcp  --  192.168.1.0/24  0.0.0.0/0   tcp dpt:3306
>> 26   ACCEPT   udp  --  192.168.1.0/24  0.0.0.0/0   udp dpt:3306
>> 27   ACCEPT   tcp  --  192.168.1.0/24  0.0.0.0/0   tcp dpt:6543
>> 28   ACCEPT   udp  --  192.168.1.0/24  0.0.0.0/0   udp dpt:6543
>> 29   ACCEPT   tcp  --  192.168.1.0/24  0.0.0.0/0   tcp dpt:6544
>> 30   ACCEPT   udp  --  192.168.1.0/24  0.0.0.0/0   udp dpt:6544
>> 1    ACCEPT   tcp  --  192.168.1.0/24  0.0.0.0/0   tcp dpt:6546
>> 32   ACCEPT   udp  --  192.168.1.0/24  0.0.0.0/0   udp dpt:6546
>> 33   ACCEPT   tcp  --  192.168.1.0/24  0.0.0.0/0   tcp dpt:1009
>> 34   ACCEPT   tcp  --  192.168.1.0/24  0.0.0.0/0   tcp dpt:7288
>> 35   ACCEPT   udp  --  192.168.1.0/24  0.0.0.0/0   udp dpt:5353
>> 36   ACCEPT   tcp  --  192.168.1.0/24  0.0.0.0/0   tcp dpt:1527
>> 37   ACCEPT   tcp  --  192.168.1.0/24  0.0.0.0/0   tcp dpt:2190
>> 38   ACCEPT   udp  --  192.168.1.0/24  0.0.0.0/0   udp dpt:2190
>> 39   ACCEPT   tcp  --  192.168.1.0/24  0.0.0.0/0   tcp dpt:8081
>>
> The ordering of your iptables rules is wrong - they're applied in order,
> so everything after rule 24 (which will reject any traffic) will never
> be reached.
> 
> Are these rules are defined in a file somewhere?  If so it should just
> be a matter of reordering them, making sure the reject rule is last.
> 

Bingo! That resolved my problem. Thank you very much!

Andrew


More information about the mythtv-users mailing list