1

I'm trying to set my server (CentOS 6.9) to accept remote MySQl connections and I'm stuck on the firewall config.

I have everything set right on the MySQL side; I can connect through telnet if I stop iptables, but not when it's active.

I've already tried:

-A INPUT -i lo -p tcp -m tcp --dport 3306 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 3306 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 3306 -j ACCEPT

But still I get "connection refused" with iptables active. What am I doing wrong?

EDIT: output of iptables -L --line-numbers

Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT tcp -- anywhere anywhere tcp dpt:mysql 2 acctboth all -- anywhere anywhere 3 tcpchk tcp -- anywhere anywhere 4 udpchk udp -- anywhere anywhere 5 icmpchk icmp -- anywhere anywhere 6 ipdrop_global all -- anywhere anywhere 7 input_custom all -- anywhere anywhere 8 ACCEPT all -- anywhere anywhere 9 ssh tcp -- anywhere anywhere state NEW tcp dpt:22022 10 ACCEPT icmp -- anywhere anywhere icmp echo-request limit: up to 2/sec burst 10 mode srcip 11 LOG icmp -- anywhere anywhere icmp echo-request limit: avg 5/min burst 5 LOG level error prefix `ICMP_DROP ' 12 DROP icmp -- anywhere anywhere icmp echo-request 13 ACCEPT icmp -- anywhere anywhere icmp echo-reply 14 ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed 15 ACCEPT icmp -- anywhere anywhere icmp port-unreachable 16 ACCEPT icmp -- anywhere anywhere icmp host-unreachable 17 ACCEPT icmp -- anywhere anywhere icmp time-exceeded 18 ACCEPT icmp -- anywhere anywhere icmp parameter-problem 19 ACCEPT icmp -- anywhere anywhere icmp type 30 20 ACCEPT icmp -- anywhere anywhere state ESTABLISHED 21 ACCEPT tcp -- 103.21.244.0/22 anywhere tcp dpt:http 22 ACCEPT tcp -- 103.22.200.0/22 anywhere tcp dpt:http 23 ACCEPT tcp -- 103.31.4.0/22 anywhere tcp dpt:http 24 ACCEPT tcp -- 104.16.0.0/12 anywhere tcp dpt:http 25 ACCEPT tcp -- 108.162.192.0/18 anywhere tcp dpt:http 26 ACCEPT tcp -- 131.0.72.0/22 anywhere tcp dpt:http 27 ACCEPT tcp -- 141.101.64.0/18 anywhere tcp dpt:http 28 ACCEPT tcp -- 162.158.0.0/15 anywhere tcp dpt:http 29 ACCEPT tcp -- 172.64.0.0/13 anywhere tcp dpt:http 30 ACCEPT tcp -- 173.245.48.0/20 anywhere tcp dpt:http 31 ACCEPT tcp -- 188.114.96.0/20 anywhere tcp dpt:http 32 ACCEPT tcp -- 190.93.240.0/20 anywhere tcp dpt:http 33 ACCEPT tcp -- 197.234.240.0/22 anywhere tcp dpt:http 34 ACCEPT tcp -- 198.41.128.0/17 anywhere tcp dpt:http 35 ACCEPT tcp -- vps.retireja.com.br anywhere tcp dpt:http 36 ACCEPT tcp -- server.thenarcissistswife.com anywhere multiport dports ssh,http 37 ACCEPT icmp -- server.thenarcissistswife.com anywhere icmp echo-request 38 ACCEPT tcp -- 54.e2.adb8.ip4.static.sl-reverse.com anywhere multiport dports ssh,http 39 ACCEPT icmp -- 54.e2.adb8.ip4.static.sl-reverse.com anywhere icmp echo-request 40 ACCEPT tcp -- 32.e0.acb8.ip4.static.sl-reverse.com anywhere multiport dports ssh,http 41 ACCEPT icmp -- 32.e0.acb8.ip4.static.sl-reverse.com anywhere icmp echo-request 42 ACCEPT tcp -- anywhere anywhere tcp dpt:domain 43 ACCEPT tcp -- anywhere anywhere tcp dpt:ftp 44 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh 45 ACCEPT tcp -- anywhere anywhere tcp dpt:smtp 46 ACCEPT tcp -- anywhere anywhere tcp dpt:26 47 ACCEPT udp -- anywhere anywhere udp dpt:domain 48 ACCEPT tcp -- anywhere anywhere tcp dpt:http 49 ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 50 ACCEPT tcp -- anywhere anywhere tcp dpt:imap 51 ACCEPT tcp -- anywhere anywhere tcp dpt:https 52 ACCEPT tcp -- anywhere anywhere tcp dpt:urd 53 ACCEPT tcp -- anywhere anywhere tcp dpt:submission 54 ACCEPT tcp -- anywhere anywhere tcp dpt:infowave 55 ACCEPT tcp -- anywhere anywhere tcp dpt:radsec 56 ACCEPT tcp -- anywhere anywhere tcp dpt:sunclustergeo 57 ACCEPT tcp -- anywhere anywhere tcp dpt:gnunet 58 ACCEPT tcp -- anywhere anywhere tcp dpt:eli 59 ACCEPT tcp -- anywhere anywhere tcp dpt:sep 60 ACCEPT tcp -- anywhere anywhere tcp dpt:EtherNet/IP-1 61 ACCEPT tcp -- anywhere anywhere tcp dpt:nbx-ser 62 ACCEPT tcp -- anywhere anywhere tcp dpt:nbx-dir 63 ACCEPT tcp -- anywhere anywhere tcp dpt:imaps 64 ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s 65 ACCEPT udp -- google-public-dns-b.google.com anywhere udp spt:domain 66 ACCEPT tcp -- google-public-dns-b.google.com anywhere tcp spt:domain 67 ACCEPT udp -- google-public-dns-a.google.com anywhere udp spt:domain 68 ACCEPT tcp -- google-public-dns-a.google.com anywhere tcp spt:domain 69 ACCEPT tcp -- anywhere anywhere tcp dpt:22022 70 ACCEPT udp -- anywhere anywhere udp dpt:22022 71 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED 72 LOG all -- anywhere anywhere limit: avg 1/sec burst 5 LOG level warning prefix `LOG_INPUT: ' 73 DROP all -- anywhere anywhere 74 ACCEPT tcp -- anywhere anywhere tcp dpt:mysql 75 ACCEPT tcp -- anywhere anywhere tcp dpt:mysql 76 ACCEPT tcp -- vps.retireja.com.br anywhere tcp dpt:mysql 77 ACCEPT tcp -- vps.retireja.com.br anywhere tcp dpt:mysql Chain FORWARD (policy ACCEPT) num target prot opt source destination 1 tcpchk tcp -- anywhere anywhere 2 udpchk udp -- anywhere anywhere 3 icmpchk icmp -- anywhere anywhere Chain OUTPUT (policy ACCEPT) num target prot opt source destination 1 cpanel-dovecot-solr all -- anywhere anywhere 2 acctboth all -- anywhere anywhere 3 tcpchk tcp -- anywhere anywhere 4 udpchk udp -- anywhere anywhere 5 icmpchk icmp -- anywhere anywhere 6 output_custom all -- anywhere anywhere 7 ACCEPT all -- anywhere anywhere 8 ACCEPT icmp -- anywhere anywhere state NEW,ESTABLISHED 9 ACCEPT icmp -- anywhere server.thenarcissistswife.com icmp echo-reply 10 ACCEPT icmp -- anywhere 54.e2.adb8.ip4.static.sl-reverse.com icmp echo-reply 11 ACCEPT icmp -- anywhere 32.e0.acb8.ip4.static.sl-reverse.com icmp echo-reply 12 ACCEPT udp -- anywhere anywhere udp dpt:saphostctrls 13 ACCEPT tcp -- anywhere anywhere tcp dpt:saphostctrls 14 ACCEPT udp -- anywhere anywhere udp dpt:30000 15 ACCEPT tcp -- anywhere anywhere tcp dpt:30000 16 ACCEPT udp -- anywhere anywhere udp dpt:pop3 17 ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 18 ACCEPT udp -- anywhere anywhere udp dpt:nicname 19 ACCEPT tcp -- anywhere anywhere tcp dpt:nicname 20 ACCEPT tcp -- anywhere anywhere tcp dpt:rsync 21 ACCEPT udp -- anywhere anywhere owner UID match root 22 ACCEPT icmp -- anywhere anywhere 23 ACCEPT all -- anywhere anywhere 24 ACCEPT tcp -- anywhere anywhere tcp dpt:ftp 25 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh 26 ACCEPT tcp -- anywhere gateway07.websitewelcome.com tcp dpt:smtp 27 ACCEPT tcp -- anywhere gateway03.websitewelcome.com tcp dpt:smtp 28 ACCEPT tcp -- anywhere gateway04.websitewelcome.com tcp dpt:smtp 29 ACCEPT tcp -- anywhere gateway05.websitewelcome.com tcp dpt:smtp 30 ACCEPT tcp -- anywhere gateway06.websitewelcome.com tcp dpt:smtp 31 ACCEPT tcp -- anywhere gateway09.websitewelcome.com tcp dpt:smtp 32 ACCEPT tcp -- anywhere gateway10.websitewelcome.com tcp dpt:smtp 33 ACCEPT tcp -- anywhere gateway11.websitewelcome.com tcp dpt:smtp 34 ACCEPT tcp -- anywhere gateway12.websitewelcome.com tcp dpt:smtp 35 ACCEPT tcp -- anywhere gateway13.websitewelcome.com tcp dpt:smtp 36 ACCEPT tcp -- anywhere gateway14.websitewelcome.com tcp dpt:smtp 37 ACCEPT tcp -- anywhere gateway15.websitewelcome.com tcp dpt:smtp 38 ACCEPT tcp -- anywhere gateway16.websitewelcome.com tcp dpt:smtp 39 ACCEPT tcp -- anywhere gateway02.websitewelcome.com tcp dpt:smtp 40 ACCEPT tcp -- anywhere gateway01.websitewelcome.com tcp dpt:smtp 41 ACCEPT tcp -- anywhere gateway08.websitewelcome.com tcp dpt:smtp 42 ACCEPT tcp -- anywhere anywhere tcp dpt:smtp owner UID match mailnull 43 LOG tcp -- anywhere anywhere ! owner UID match root multiport dports smtp,urd,submission limit: avg 1/sec burst 5 LOG level notice prefix `OUTBOUND-SMTP : ' 44 ACCEPT udp -- anywhere anywhere udp dpt:domain ! owner UID match nobody 45 ACCEPT tcp -- anywhere anywhere tcp dpt:domain ! owner UID match nobody 46 ACCEPT udp -- anywhere google-public-dns-b.google.com udp dpt:domain 47 ACCEPT tcp -- anywhere google-public-dns-b.google.com tcp dpt:domain 48 ACCEPT udp -- anywhere google-public-dns-a.google.com udp dpt:domain 49 ACCEPT tcp -- anywhere google-public-dns-a.google.com tcp dpt:domain 50 ACCEPT udp -- anywhere anywhere udp dpt:domain owner UID match nobody limit: avg 20/sec burst 5 51 ACCEPT tcp -- anywhere anywhere tcp dpt:domain owner UID match nobody limit: avg 20/sec burst 5 52 ACCEPT tcp -- anywhere anywhere tcp dpt:http 53 ACCEPT tcp -- anywhere anywhere tcp dpt:https 54 ACCEPT tcp -- anywhere anywhere tcp dpt:urd 55 ACCEPT tcp -- anywhere anywhere tcp dpt:submission 56 ACCEPT tcp -- anywhere anywhere tcp dpt:gnunet 57 ACCEPT tcp -- anywhere anywhere tcp dpt:eli 58 ACCEPT tcp -- anywhere anywhere tcp dpt:sep 59 ACCEPT tcp -- anywhere anywhere tcp dpt:mysql 60 ACCEPT tcp -- anywhere anywhere tcp dpt:time 61 ACCEPT tcp -- anywhere anywhere tcp dpt:sms-chat 62 ACCEPT tcp -- anywhere anywhere tcp spt:domain 63 ACCEPT tcp -- anywhere anywhere tcp spt:ftp 64 ACCEPT tcp -- anywhere anywhere tcp spt:ssh 65 ACCEPT tcp -- anywhere anywhere tcp spt:22022 66 ACCEPT tcp -- anywhere anywhere tcp spt:smtp 67 ACCEPT tcp -- anywhere anywhere tcp spt:26 68 ACCEPT udp -- anywhere anywhere udp spt:domain 69 ACCEPT tcp -- anywhere anywhere tcp spt:http 70 ACCEPT tcp -- anywhere anywhere tcp spt:pop3 71 ACCEPT tcp -- anywhere anywhere tcp spt:imap 72 ACCEPT tcp -- anywhere anywhere tcp spt:https 73 ACCEPT tcp -- anywhere anywhere tcp spt:urd 74 ACCEPT tcp -- anywhere anywhere tcp spt:submission 75 ACCEPT tcp -- anywhere anywhere tcp spt:infowave 76 ACCEPT tcp -- anywhere anywhere tcp spt:radsec 77 ACCEPT tcp -- anywhere anywhere tcp spt:sunclustergeo 78 ACCEPT tcp -- anywhere anywhere tcp spt:gnunet 79 ACCEPT tcp -- anywhere anywhere tcp spt:eli 80 ACCEPT tcp -- anywhere anywhere tcp spt:sep 81 ACCEPT tcp -- anywhere anywhere tcp spt:EtherNet/IP-1 82 ACCEPT tcp -- anywhere anywhere tcp spt:nbx-ser 83 ACCEPT tcp -- anywhere anywhere tcp spt:nbx-dir 84 ACCEPT tcp -- anywhere anywhere tcp spt:imaps 85 ACCEPT tcp -- anywhere anywhere tcp spt:pop3s 86 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED 87 LOG all -- anywhere anywhere limit: avg 1/sec burst 5 LOG level warning prefix `LOG_OUTPUT: ' 88 DROP all -- anywhere anywhere 89 ACCEPT tcp -- anywhere anywhere tcp spt:mysql Chain acctboth (2 references) num target prot opt source destination Chain cpanel-dovecot-solr (1 references) num target prot opt source destination 1 ACCEPT tcp -- anywhere anywhere multiport sports 8984,7984 owner UID match cpanelsolr 2 ACCEPT tcp -- anywhere anywhere multiport sports 8984,7984 owner UID match root 3 REJECT tcp -- anywhere anywhere multiport sports 8984,7984 reject-with icmp-port-unreachable Chain icmpchk (3 references) num target prot opt source destination Chain input_custom (1 references) num target prot opt source destination Chain ipdrop_global (1 references) num target prot opt source destination 1 DROP all -- 43.255.190.0/23 anywhere Chain output_custom (1 references) num target prot opt source destination Chain ssh (1 references) num target prot opt source destination 1 ACCEPT all -- supra.websitewelcome.com anywhere 2 ACCEPT all -- wizard2.hostgator.com anywhere 3 ACCEPT all -- wizard-backup.hostgator.com anywhere 4 ACCEPT all -- 216-106-185-169.ds1-static.mia1.net.ststelecom.com anywhere 5 ACCEPT all -- 12.96.160.0/24 anywhere 6 ACCEPT all -- 216.19.0.0/24 anywhere 7 tcp -- anywhere anywhere state NEW recent: SET name: DEFAULT side: source 8 LOG tcp -- anywhere anywhere state NEW recent: CHECK seconds: 60 hit_count: 10 name: DEFAULT side: source limit: avg 10/min burst 5 LOG level notice prefix `SSH-ATTACK : ' 9 REJECT tcp -- anywhere anywhere state NEW recent: UPDATE seconds: 60 hit_count: 10 name: DEFAULT side: source reject-with tcp-reset 10 ACCEPT tcp -- anywhere anywhere Chain tcpchk (3 references) num target prot opt source destination Chain udpchk (3 references) num target prot opt source destination
Improve this question

1 Answer 1

Reset to default
1

Remove this rule:

-A INPUT -p tcp -m tcp -j REJECT --reject-with tcp-reset

You can remove a rule by printing the line numbers this way:

iptables -L --line-numbers

and then deleting the line by it's line number.

For instance, if the offending line is number 7, then:

iptables -D INPUT 7
Improve this answer
6
  • @vlastimil thx for the edit on the quote of the line; however, i did purposefully put for instance in bold so that the OP didn't miss that I'm not suggesting he run that command without changing the number from 7 to the appropriate number. Commented Jan 30, 2018 at 18:25
  • 1
    Don't use bold text unless real necessary. Commented Jan 30, 2018 at 18:29
  • It appears they’re trying to allow port 3306, and have a rule to that effect ahead of the reject line; why do you think that removing this catch-all line will help? Commented Jan 30, 2018 at 19:07
  • it didnt worked: I removed that line and still I can connect remotely. The only difference is that now instead of geting "connection refused", I get "connection timed out" Commented Jan 30, 2018 at 19:34
  • there is a REJECT on the outbound...better get it out, too: -A OUTPUT -p tcp -m tcp -j REJECT --reject-with tcp-reset - if that doesn't work, can you add the output of iptables -L --line-numbers to your question, it's much easier to digest, imho. Commented Jan 30, 2018 at 19:37

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.