Can't open port 3306 on eth0 but can for lo
I'm trying to open port 3306 on my Debian server to the LAN. I already
have a firewall separating me from the outside world, so my server can
be completely open if necessary. Unfortunately, I can't seem to get
iptables to do what I want. The port 3306 is accessible from the
loopback adapter (lo) but not from my network card (eth0). When I try
to connect to mysql from another machine on port 3306 using telnet, I
get "Connection refused."
I've been trying to use iptables to open the port in various ways, but
I won't bore you with all of the details. I thought that the below
commands would leave the server completely open but I guess that I was
mistaken. (Note: I'd like for the server to be somewhat secure, but for
the moment I just want it to work.)
strongbad:~# iptables -A INPUT -i lo -j ACCEPT
strongbad:~# iptables -A OUTPUT -o lo -j ACCEPT
strongbad:~# iptables -A FORWARD -i lo -j ACCEPT
strongbad:~# iptables -A INPUT -i eth0 -j ACCEPT
strongbad:~# iptables -A OUTPUT -o eth0 -j ACCEPT
strongbad:~# iptables -A FORWARD -i eth0 -j ACCEPT
Here's what I know:
strongbad:~# ifconfig
eth0 Link encap:Ethernet HWaddr 00:C0:CA:12:07:D9
inet addr:192.168.2.5 Bcast:192.168.2.255
Mask:255.255.255.0
inet6 addr: fe80::2c0:caff:fe12:7d9/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:428 errors:0 dropped:0 overruns:0 frame:0
TX packets:300 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:285759 (279.0 KiB) TX bytes:72587 (70.8 KiB)
Interrupt:5 Base address:0x8800
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:6688 errors:0 dropped:0 overruns:0 frame:0
TX packets:6688 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:267552 (261.2 KiB) TX bytes:267552 (261.2 KiB)
strongbad:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
strongbad:~# nmap -v localhost
Starting Nmap 3.95 ( http://www.insecure.org/nmap/ ) at 2006-01-15
13:03 EST
Initiating SYN Stealth Scan against localhost.localdomain (127.0.0.1)
[1670 ports] at 13:03
Discovered open port 80/tcp on 127.0.0.1
Discovered open port 25/tcp on 127.0.0.1
Discovered open port 6543/tcp on 127.0.0.1
Discovered open port 3306/tcp on 127.0.0.1
Discovered open port 6544/tcp on 127.0.0.1
The SYN Stealth Scan took 0.11s to scan 1670 total ports.
Host localhost.localdomain (127.0.0.1) appears to be up ... good.
Interesting ports on localhost.localdomain (127.0.0.1):
(The 1665 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
25/tcp open smtp
80/tcp open http
3306/tcp open mysql
6543/tcp open mythtv
6544/tcp open mythtv
Nmap finished: 1 IP address (1 host up) scanned in 0.150 seconds
Raw packets sent: 1670 (66.8KB) | Rcvd: 3345 (134KB)
strongbad:~# nmap -v 192.168.2.5
Starting Nmap 3.95 ( http://www.insecure.org/nmap/ ) at 2006-01-15
13:04 EST
Initiating SYN Stealth Scan against 192.168.2.5 [1670 ports] at 13:04
Discovered open port 80/tcp on 192.168.2.5
Discovered open port 6543/tcp on 192.168.2.5
Discovered open port 6544/tcp on 192.168.2.5
The SYN Stealth Scan took 0.11s to scan 1670 total ports.
Host 192.168.2.5 appears to be up ... good.
Interesting ports on 192.168.2.5:
(The 1667 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
80/tcp open http
6543/tcp open mythtv
6544/tcp open mythtv
Nmap finished: 1 IP address (1 host up) scanned in 0.209 seconds
Raw packets sent: 1670 (66.8KB) | Rcvd: 3343 (134KB)
Reply to: