Re: iptables/routing network problem
On Sun, 30 Jan 2011 13:30:40 -0800 (PST) geertsky bege...@gmail.com wrote: On Jan 30, 10:20 pm, geertsky bege...@gmail.com wrote: On Jan 30, 4:50 pm, Mihira Fernando mihirathe...@gmail.com wrote: On 01/30/2011 08:48 PM, geertsky wrote: Hello, I'm having a wierd problem I cannot solve... I have a pptp connection from my house to my server using 192.168.2.0/24 range ip's I ḿ trying to make mysql access able from the 192.168.2.0/24 network. On the server I've got ufw firewall so I state ufw insert 4 allow proto tcp from 192.168.2.0/24 to 192.168.2.1 port 3306 [snip] Apparently there is somewhere in the os a rule which disables access to port 3306, but it's not a iptables rule... Does anyone have a idea what apart from iptables controls network traffic? Thanks cause I'm completely lost... Greetings, Geert Maybe a stupid question but have you enabled network access in the MySQL server settings so that MySQL will actually accept connections over the network ? Mihira. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d45865a.10...@gmail.com Hi Mihira, I'm not trying connecting to mysql, well not with the tests atleast... I'm using netcat to try to make a connection to port 3306 and that even fails... Greetings, Geert -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/b3b35d5d-20a1-448c-a1d7-103b93389...@q36g2000yqn.googlegroups.com Ok, am a bit further now... So I found out it's the pptp connection who is malicious configured somehow... I have other pptp conections also listening on that server and a connection over one of the other pptp servers succeeds! Still very strange though... why only the port 3306 is infected by this... Anyways... I'll look into it maybe tomorrow or something and I'll report what I mis configured... If anyone has suggestions I'm happy to hear it! Your PPTP servers are presumably handing out different DHCP scopes, based on different server addresses. Check in /etc/mysql/my.cnf for the bind-address parameter, and confirm it contains all the PPTP server addresses. This still looks the most likely issue. You mention above that you are not trying to connect to mysql, just check the port. A slight misunderstanding, you can never check whether a firewall port is open by sending to it. What you are doing is both checking that the firewall port is open and also that there is a process listening on that port and is willing to reply. Whatever tool you use to try the connection, it must be mysql which replies, (you already know that mysql is correctly binding to 3306 when it starts, because other addresses work). So any mysql configuration which prevents replying will also cause the port to appear closed. There is a further stage of configuration, in the mysql database store itself. It stores user names and (hashed) password pairs but the user names are linked to IP addresses or ranges. This is another area that might have a problem. The table is 'user' in the database 'mysql', and you'll need root (mysql root, not Linux) privileges to edit it. I'm sorry, I can't give you the mysql commands, I've been using phpmyadmin for so long I can't remember them. But any mysql tutorial will show you how to add and edit users. The % is the wildcard in mysql, so IP ranges can be configured with it, or indeed hostnames. A listing of the table will show what form the other entries take. -- Joe -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110131104032.37cf0...@jresid.jretrading.com
Re: iptables/routing network problem
On 01/30/2011 08:48 PM, geertsky wrote: Hello, I'm having a wierd problem I cannot solve... I have a pptp connection from my house to my server using 192.168.2.0/24 range ip's I ḿ trying to make mysql access able from the 192.168.2.0/24 network. On the server I've got ufw firewall so I state ufw insert 4 allow proto tcp from 192.168.2.0/24 to 192.168.2.1 port 3306 [snip] Apparently there is somewhere in the os a rule which disables access to port 3306, but it's not a iptables rule... Does anyone have a idea what apart from iptables controls network traffic? Thanks cause I'm completely lost... Greetings, Geert Maybe a stupid question but have you enabled network access in the MySQL server settings so that MySQL will actually accept connections over the network ? Mihira. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d45865a.10...@gmail.com
Re: iptables/routing network problem
On Sun, Jan 30, 2011 at 20:48, geertsky bege...@gmail.com wrote: Hello, I'm having a wierd problem I cannot solve... I have a pptp connection from my house to my server using 192.168.2.0/24 range ip's I ḿ trying to make mysql access able from the 192.168.2.0/24 network. On the server I've got ufw firewall so I state ufw insert 4 allow proto tcp from 192.168.2.0/24 to 192.168.2.1 port 3306 This gives ufw status numbered: Status: active To Action From -- -- [ 1] 22/tcp ALLOW INAnywhere [ 2] 1723/tcp ALLOW INAnywhere [ 3] Anywhere DENY IN 192.168.254.0/24 [ 4] 192.168.2.1 3306/tcp ALLOW IN192.168.2.0/24 [ 5] 192.168.2.1 80/tcp ALLOW IN192.168.2.0/24 [ 6] 80/tcp ALLOW INAnywhere [ 7] 21/tcp ALLOW INAnywhere [ 8] 192.168.2.0/24 DENY IN 192.168.100.0/24 [ 9] 192.168.2.0/24 DENY IN 192.168.1.0/24 [10] 217.148.94.148 25 ALLOW INAnywhere [11] 217.148.94.148 993 ALLOW INAnywhere [12] 217.148.94.148 995 ALLOW INAnywhere looks good I thought... To test I used netcat because mysqld has some restrictions and to rule any mysql problems out first just a netcat connction... so on the server: nc -vl 192.168.2.1 3306 on the client: telnet 192.168.2.1 3306 and it timesout unable to connect... ping 192.168.2.1 on the client gives replys... iptables -L on the client gives ACCEPT ACCEPT ACCEPT and no further rules... hhm... strange... After this I've been looking everyhere to findout eventually the following: ufw delete 4 #delete the existing mysql accept rule ufw insert 4 allow proto tcp from 192.168.2.0/24 to 192.168.2.1 port 3307 ufw status numbered gives: Status: active To Action From -- -- [ 1] 22/tcp ALLOW INAnywhere [ 2] 1723/tcp ALLOW INAnywhere [ 3] Anywhere DENY IN 192.168.254.0/24 [ 4] 192.168.2.1 3307/tcp ALLOW IN192.168.2.0/24 [ 5] 192.168.2.1 80/tcp ALLOW IN192.168.2.0/24 [ 6] 80/tcp ALLOW INAnywhere [ 7] 21/tcp ALLOW INAnywhere [ 8] 192.168.2.0/24 DENY IN 192.168.100.0/24 [ 9] 192.168.2.0/24 DENY IN 192.168.1.0/24 [10] 217.148.94.148 25 ALLOW INAnywhere [11] 217.148.94.148 993 ALLOW INAnywhere [12] 217.148.94.148 995 ALLOW INAnywhere on the server: nc -vl 192.168.2.1 3307 on the client: telnet 192.168.2.1 3307 Connected to 192.168.2.1. Escape character is '^]'. and i can chat as supposed to be able using nc. Apparently there is somewhere in the os a rule which disables access to port 3306, but it's not a iptables rule... Does anyone have a idea what apart from iptables controls network traffic? Thanks cause I'm completely lost... Greetings, Geert -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/f663cbd7-417e-4581-9574-90891eae4...@b34g2000yqc.googlegroups.com * Could you try it after completely disabling the firewall once, to make sure that 3306 works. * Also to see the stats, use iptables -L -vn to get the packet stats also. Take two of these logs before and after trying to connect to 3306, see which particular rule counter is going up.
Re: iptables/routing network problem
On Jan 30, 4:50 pm, Mihira Fernando mihirathe...@gmail.com wrote: On 01/30/2011 08:48 PM, geertsky wrote: Hello, I'm having a wierd problem I cannot solve... I have a pptp connection from my house to my server using 192.168.2.0/24 range ip's I ḿ trying to make mysql access able from the 192.168.2.0/24 network. On the server I've got ufw firewall so I state ufw insert 4 allow proto tcp from 192.168.2.0/24 to 192.168.2.1 port 3306 [snip] Apparently there is somewhere in the os a rule which disables access to port 3306, but it's not a iptables rule... Does anyone have a idea what apart from iptables controls network traffic? Thanks cause I'm completely lost... Greetings, Geert Maybe a stupid question but have you enabled network access in the MySQL server settings so that MySQL will actually accept connections over the network ? Mihira. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d45865a.10...@gmail.com Hi Mihira, I'm not trying connecting to mysql, well not with the tests atleast... I'm using netcat to try to make a connection to port 3306 and that even fails... Greetings, Geert -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/b3b35d5d-20a1-448c-a1d7-103b93389...@q36g2000yqn.googlegroups.com
Re: iptables/routing network problem
On Jan 30, 5:00 pm, Anand Sivaram aspn...@gmail.com wrote: On Sun, Jan 30, 2011 at 20:48, geertsky bege...@gmail.com wrote: Hello, I'm having a wierd problem I cannot solve... I have a pptp connection from my house to my server using 192.168.2.0/24 range ip's I ḿ trying to make mysql access able from the 192.168.2.0/24 network. On the server I've got ufw firewall so I state ufw insert 4 allow proto tcp from 192.168.2.0/24 to 192.168.2.1 port 3306 This gives ufw status numbered: Status: active To Action From -- -- [ 1] 22/tcp ALLOW IN Anywhere [ 2] 1723/tcp ALLOW IN Anywhere [ 3] Anywhere DENY IN 192.168.254.0/24 [ 4] 192.168.2.1 3306/tcp ALLOW IN 192.168.2.0/24 [ 5] 192.168.2.1 80/tcp ALLOW IN 192.168.2.0/24 [ 6] 80/tcp ALLOW IN Anywhere [ 7] 21/tcp ALLOW IN Anywhere [ 8] 192.168.2.0/24 DENY IN 192.168.100.0/24 [ 9] 192.168.2.0/24 DENY IN 192.168.1.0/24 [10] 217.148.94.148 25 ALLOW IN Anywhere [11] 217.148.94.148 993 ALLOW IN Anywhere [12] 217.148.94.148 995 ALLOW IN Anywhere looks good I thought... To test I used netcat because mysqld has some restrictions and to rule any mysql problems out first just a netcat connction... so on the server: nc -vl 192.168.2.1 3306 on the client: telnet 192.168.2.1 3306 and it timesout unable to connect... ping 192.168.2.1 on the client gives replys... iptables -L on the client gives ACCEPT ACCEPT ACCEPT and no further rules... hhm... strange... After this I've been looking everyhere to findout eventually the following: ufw delete 4 #delete the existing mysql accept rule ufw insert 4 allow proto tcp from 192.168.2.0/24 to 192.168.2.1 port 3307 ufw status numbered gives: Status: active To Action From -- -- [ 1] 22/tcp ALLOW IN Anywhere [ 2] 1723/tcp ALLOW IN Anywhere [ 3] Anywhere DENY IN 192.168.254.0/24 [ 4] 192.168.2.1 3307/tcp ALLOW IN 192.168.2.0/24 [ 5] 192.168.2.1 80/tcp ALLOW IN 192.168.2.0/24 [ 6] 80/tcp ALLOW IN Anywhere [ 7] 21/tcp ALLOW IN Anywhere [ 8] 192.168.2.0/24 DENY IN 192.168.100.0/24 [ 9] 192.168.2.0/24 DENY IN 192.168.1.0/24 [10] 217.148.94.148 25 ALLOW IN Anywhere [11] 217.148.94.148 993 ALLOW IN Anywhere [12] 217.148.94.148 995 ALLOW IN Anywhere on the server: nc -vl 192.168.2.1 3307 on the client: telnet 192.168.2.1 3307 Connected to 192.168.2.1. Escape character is '^]'. and i can chat as supposed to be able using nc. Apparently there is somewhere in the os a rule which disables access to port 3306, but it's not a iptables rule... Does anyone have a idea what apart from iptables controls network traffic? Thanks cause I'm completely lost... Greetings, Geert -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/f663cbd7-417e-4581-9574-90891eae4...@b34g2000yqc.googlegroups.com * Could you try it after completely disabling the firewall once, to make sure that 3306 works. * Also to see the stats, use iptables -L -vn to get the packet stats also. Take two of these logs before and after trying to connect to 3306, see which particular rule counter is going up. HI, I forgot to mention... but also disabling the firewall completely results in a timeout... I guess it has to be some client side setting... Your iptables suggestions are not going to show anything I 'm afraid... cause completely disabling the firewall doesn work... Greetings, Geert -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e5e52905-3e85-4cde-adfe-247f5a4fa...@k9g2000yqi.googlegroups.com
Re: iptables/routing network problem
On Jan 30, 5:00 pm, Anand Sivaram aspn...@gmail.com wrote: On Sun, Jan 30, 2011 at 20:48, geertsky bege...@gmail.com wrote: Hello, I'm having a wierd problem I cannot solve... I have a pptp connection from my house to my server using 192.168.2.0/24 range ip's I ḿ trying to make mysql access able from the 192.168.2.0/24 network. On the server I've got ufw firewall so I state ufw insert 4 allow proto tcp from 192.168.2.0/24 to 192.168.2.1 port 3306 This gives ufw status numbered: Status: active To Action From -- -- [ 1] 22/tcp ALLOW IN Anywhere [ 2] 1723/tcp ALLOW IN Anywhere [ 3] Anywhere DENY IN 192.168.254.0/24 [ 4] 192.168.2.1 3306/tcp ALLOW IN 192.168.2.0/24 [ 5] 192.168.2.1 80/tcp ALLOW IN 192.168.2.0/24 [ 6] 80/tcp ALLOW IN Anywhere [ 7] 21/tcp ALLOW IN Anywhere [ 8] 192.168.2.0/24 DENY IN 192.168.100.0/24 [ 9] 192.168.2.0/24 DENY IN 192.168.1.0/24 [10] 217.148.94.148 25 ALLOW IN Anywhere [11] 217.148.94.148 993 ALLOW IN Anywhere [12] 217.148.94.148 995 ALLOW IN Anywhere looks good I thought... To test I used netcat because mysqld has some restrictions and to rule any mysql problems out first just a netcat connction... so on the server: nc -vl 192.168.2.1 3306 on the client: telnet 192.168.2.1 3306 and it timesout unable to connect... ping 192.168.2.1 on the client gives replys... iptables -L on the client gives ACCEPT ACCEPT ACCEPT and no further rules... hhm... strange... After this I've been looking everyhere to findout eventually the following: ufw delete 4 #delete the existing mysql accept rule ufw insert 4 allow proto tcp from 192.168.2.0/24 to 192.168.2.1 port 3307 ufw status numbered gives: Status: active To Action From -- -- [ 1] 22/tcp ALLOW IN Anywhere [ 2] 1723/tcp ALLOW IN Anywhere [ 3] Anywhere DENY IN 192.168.254.0/24 [ 4] 192.168.2.1 3307/tcp ALLOW IN 192.168.2.0/24 [ 5] 192.168.2.1 80/tcp ALLOW IN 192.168.2.0/24 [ 6] 80/tcp ALLOW IN Anywhere [ 7] 21/tcp ALLOW IN Anywhere [ 8] 192.168.2.0/24 DENY IN 192.168.100.0/24 [ 9] 192.168.2.0/24 DENY IN 192.168.1.0/24 [10] 217.148.94.148 25 ALLOW IN Anywhere [11] 217.148.94.148 993 ALLOW IN Anywhere [12] 217.148.94.148 995 ALLOW IN Anywhere on the server: nc -vl 192.168.2.1 3307 on the client: telnet 192.168.2.1 3307 Connected to 192.168.2.1. Escape character is '^]'. and i can chat as supposed to be able using nc. Apparently there is somewhere in the os a rule which disables access to port 3306, but it's not a iptables rule... Does anyone have a idea what apart from iptables controls network traffic? Thanks cause I'm completely lost... Greetings, Geert -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/f663cbd7-417e-4581-9574-90891eae4...@b34g2000yqc.googlegroups.com * Could you try it after completely disabling the firewall once, to make sure that 3306 works. * Also to see the stats, use iptables -L -vn to get the packet stats also. Take two of these logs before and after trying to connect to 3306, see which particular rule counter is going up. Hi again, Ok, I foundout it cannot be a clientside problem... I did a test from the client to a other computer on the local network and the connection can be established! Could the pptp connection be the problem somehow? Greetings, Geert -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/0509b055-5c6e-4585-bfc8-f1a89f327...@r16g2000yql.googlegroups.com
Re: iptables/routing network problem
On Jan 30, 10:20 pm, geertsky bege...@gmail.com wrote: On Jan 30, 4:50 pm, Mihira Fernando mihirathe...@gmail.com wrote: On 01/30/2011 08:48 PM, geertsky wrote: Hello, I'm having a wierd problem I cannot solve... I have a pptp connection from my house to my server using 192.168.2.0/24 range ip's I ḿ trying to make mysql access able from the 192.168.2.0/24 network. On the server I've got ufw firewall so I state ufw insert 4 allow proto tcp from 192.168.2.0/24 to 192.168.2.1 port 3306 [snip] Apparently there is somewhere in the os a rule which disables access to port 3306, but it's not a iptables rule... Does anyone have a idea what apart from iptables controls network traffic? Thanks cause I'm completely lost... Greetings, Geert Maybe a stupid question but have you enabled network access in the MySQL server settings so that MySQL will actually accept connections over the network ? Mihira. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d45865a.10...@gmail.com Hi Mihira, I'm not trying connecting to mysql, well not with the tests atleast... I'm using netcat to try to make a connection to port 3306 and that even fails... Greetings, Geert -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/b3b35d5d-20a1-448c-a1d7-103b93389...@q36g2000yqn.googlegroups.com Ok, am a bit further now... So I found out it's the pptp connection who is malicious configured somehow... I have other pptp conections also listening on that server and a connection over one of the other pptp servers succeeds! Still very strange though... why only the port 3306 is infected by this... Anyways... I'll look into it maybe tomorrow or something and I'll report what I mis configured... If anyone has suggestions I'm happy to hear it! Greetings, Geert -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/547787ff-98a7-4466-80f7-80f250d52...@z3g2000yqk.googlegroups.com