Re: iptables/routing network problem

[Anand Sivaram <aspnair@gmail.com>]

On Sun, Jan 30, 2011 at 20:48, geertsky <begeert@gmail.com> wrote:

Hello,
I'm having a wierd problem I cannot solve...
I have a pptp connection from my house to my server using
192.168.2.0/24 range ip's
I ḿ trying to make mysql access able from the 192.168.2.0/24 network.
On the server I've got ufw firewall so I state "ufw insert 4 allow
proto tcp from 192.168.2.0/24 to 192.168.2.1 port 3306"
This gives ufw status numbered:
Status: active

    To                         Action      From
    --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    Anywhere
[ 2] 1723/tcp                   ALLOW IN    Anywhere
[ 3] Anywhere                   DENY IN     192.168.254.0/24
[ 4] 192.168.2.1 3306/tcp       ALLOW IN    192.168.2.0/24
[ 5] 192.168.2.1 80/tcp         ALLOW IN    192.168.2.0/24
[ 6] 80/tcp                     ALLOW IN    Anywhere
[ 7] 21/tcp                     ALLOW IN    Anywhere
[ 8] 192.168.2.0/24             DENY IN     192.168.100.0/24
[ 9] 192.168.2.0/24             DENY IN     192.168.1.0/24
[10] 217.148.94.148 25          ALLOW IN    Anywhere
[11] 217.148.94.148 993         ALLOW IN    Anywhere
[12] 217.148.94.148 995         ALLOW IN    Anywhere

looks good I thought...
To test I used netcat because mysqld has some restrictions and to rule
any mysql problems out first just a netcat connction...
so on the server: nc -vl 192.168.2.1 3306
on the client: telnet 192.168.2.1 3306
and it timesout unable to connect...
ping 192.168.2.1 on the client gives replys...
iptables -L on the client gives ACCEPT ACCEPT ACCEPT and no further
rules...
hhm... strange...
After this I've been looking everyhere to findout eventually the
following:
ufw delete 4   #delete the existing mysql accept rule
ufw insert 4 allow proto tcp from 192.168.2.0/24 to 192.168.2.1 port
3307
ufw status numbered gives:
Status: active

    To                         Action      From
    --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    Anywhere
[ 2] 1723/tcp                   ALLOW IN    Anywhere
[ 3] Anywhere                   DENY IN     192.168.254.0/24
[ 4] 192.168.2.1 3307/tcp       ALLOW IN    192.168.2.0/24
[ 5] 192.168.2.1 80/tcp         ALLOW IN    192.168.2.0/24
[ 6] 80/tcp                     ALLOW IN    Anywhere
[ 7] 21/tcp                     ALLOW IN    Anywhere
[ 8] 192.168.2.0/24             DENY IN     192.168.100.0/24
[ 9] 192.168.2.0/24             DENY IN     192.168.1.0/24
[10] 217.148.94.148 25          ALLOW IN    Anywhere
[11] 217.148.94.148 993         ALLOW IN    Anywhere
[12] 217.148.94.148 995         ALLOW IN    Anywhere

on the server: nc -vl 192.168.2.1 3307
on the client: telnet 192.168.2.1 3307
Connected to 192.168.2.1.
Escape character is '^]'.!!!!!!!!!!!!
and i can chat as supposed to be able using nc.

Apparently there is somewhere in the os a rule which disables access
to port 3306, but it's not a iptables rule...
Does anyone have a idea what apart from iptables controls network
traffic?
Thanks cause I'm completely lost...

Greetings,
Geert


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: [🔎] f663cbd7-417e-4581-9574-90891eae4b18@b34g2000yqc.googlegroups.com" target="_blank">http://lists.debian.org/[🔎] f663cbd7-417e-4581-9574-90891eae4b18@b34g2000yqc.googlegroups.com

* Could you try it after completely disabling the firewall once, to make sure that 3306 works.
* Also to see the stats, use "iptables -L -vn" to get the packet stats also.  Take two of these logs before and after
trying to connect to 3306, see which particular rule counter is going up.