Iptables blocking remote MySQL remote

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
1
down vote

favorite












I'm trying to set my server (CentOS 6.9) to accept remote MySQl connections and I'm stuck on the firewall config.



I have everything set right on the MySQL side; I can connect through telnet if I stop iptables, but not when it's active.



I've already tried:



-A INPUT -i lo -p tcp -m tcp --dport 3306 -j ACCEPT 
-A INPUT -i eth0 -p tcp -m tcp --dport 3306 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 3306 -j ACCEPT


But still I get "connection refused" with iptables active. What am I doing wrong?



EDIT: output of iptables -L --line-numbers



Chain INPUT (policy ACCEPT)
num target prot opt source destination 
1 ACCEPT tcp -- anywhere anywhere tcp dpt:mysql 
2 acctboth all -- anywhere anywhere 
3 tcpchk tcp -- anywhere anywhere 
4 udpchk udp -- anywhere anywhere 
5 icmpchk icmp -- anywhere anywhere 
6 ipdrop_global all -- anywhere anywhere 
7 input_custom all -- anywhere anywhere 
8 ACCEPT all -- anywhere anywhere 
9 ssh tcp -- anywhere anywhere state NEW tcp dpt:22022 
10 ACCEPT icmp -- anywhere anywhere icmp echo-request limit: up to 2/sec burst 10 mode srcip 
11 LOG icmp -- anywhere anywhere icmp echo-request limit: avg 5/min burst 5 LOG level error prefix `ICMP_DROP ' 
12 DROP icmp -- anywhere anywhere icmp echo-request 
13 ACCEPT icmp -- anywhere anywhere icmp echo-reply 
14 ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed 
15 ACCEPT icmp -- anywhere anywhere icmp port-unreachable 
16 ACCEPT icmp -- anywhere anywhere icmp host-unreachable 
17 ACCEPT icmp -- anywhere anywhere icmp time-exceeded 
18 ACCEPT icmp -- anywhere anywhere icmp parameter-problem 
19 ACCEPT icmp -- anywhere anywhere icmp type 30 
20 ACCEPT icmp -- anywhere anywhere state ESTABLISHED 
21 ACCEPT tcp -- 103.21.244.0/22 anywhere tcp dpt:http 
22 ACCEPT tcp -- 103.22.200.0/22 anywhere tcp dpt:http 
23 ACCEPT tcp -- 103.31.4.0/22 anywhere tcp dpt:http 
24 ACCEPT tcp -- 104.16.0.0/12 anywhere tcp dpt:http 
25 ACCEPT tcp -- 108.162.192.0/18 anywhere tcp dpt:http 
26 ACCEPT tcp -- 131.0.72.0/22 anywhere tcp dpt:http 
27 ACCEPT tcp -- 141.101.64.0/18 anywhere tcp dpt:http 
28 ACCEPT tcp -- 162.158.0.0/15 anywhere tcp dpt:http 
29 ACCEPT tcp -- 172.64.0.0/13 anywhere tcp dpt:http 
30 ACCEPT tcp -- 173.245.48.0/20 anywhere tcp dpt:http 
31 ACCEPT tcp -- 188.114.96.0/20 anywhere tcp dpt:http 
32 ACCEPT tcp -- 190.93.240.0/20 anywhere tcp dpt:http 
33 ACCEPT tcp -- 197.234.240.0/22 anywhere tcp dpt:http 
34 ACCEPT tcp -- 198.41.128.0/17 anywhere tcp dpt:http 
35 ACCEPT tcp -- vps.retireja.com.br anywhere tcp dpt:http 
36 ACCEPT tcp -- server.thenarcissistswife.com anywhere multiport dports ssh,http 
37 ACCEPT icmp -- server.thenarcissistswife.com anywhere icmp echo-request 
38 ACCEPT tcp -- 54.e2.adb8.ip4.static.sl-reverse.com anywhere multiport dports ssh,http 
39 ACCEPT icmp -- 54.e2.adb8.ip4.static.sl-reverse.com anywhere icmp echo-request 
40 ACCEPT tcp -- 32.e0.acb8.ip4.static.sl-reverse.com anywhere multiport dports ssh,http 
41 ACCEPT icmp -- 32.e0.acb8.ip4.static.sl-reverse.com anywhere icmp echo-request 
42 ACCEPT tcp -- anywhere anywhere tcp dpt:domain 
43 ACCEPT tcp -- anywhere anywhere tcp dpt:ftp 
44 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh 
45 ACCEPT tcp -- anywhere anywhere tcp dpt:smtp 
46 ACCEPT tcp -- anywhere anywhere tcp dpt:26 
47 ACCEPT udp -- anywhere anywhere udp dpt:domain 
48 ACCEPT tcp -- anywhere anywhere tcp dpt:http 
49 ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 
50 ACCEPT tcp -- anywhere anywhere tcp dpt:imap 
51 ACCEPT tcp -- anywhere anywhere tcp dpt:https 
52 ACCEPT tcp -- anywhere anywhere tcp dpt:urd 
53 ACCEPT tcp -- anywhere anywhere tcp dpt:submission 
54 ACCEPT tcp -- anywhere anywhere tcp dpt:infowave 
55 ACCEPT tcp -- anywhere anywhere tcp dpt:radsec 
56 ACCEPT tcp -- anywhere anywhere tcp dpt:sunclustergeo 
57 ACCEPT tcp -- anywhere anywhere tcp dpt:gnunet 
58 ACCEPT tcp -- anywhere anywhere tcp dpt:eli 
59 ACCEPT tcp -- anywhere anywhere tcp dpt:sep 
60 ACCEPT tcp -- anywhere anywhere tcp dpt:EtherNet/IP-1 
61 ACCEPT tcp -- anywhere anywhere tcp dpt:nbx-ser 
62 ACCEPT tcp -- anywhere anywhere tcp dpt:nbx-dir 
63 ACCEPT tcp -- anywhere anywhere tcp dpt:imaps 
64 ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s 
65 ACCEPT udp -- google-public-dns-b.google.com anywhere udp spt:domain 
66 ACCEPT tcp -- google-public-dns-b.google.com anywhere tcp spt:domain 
67 ACCEPT udp -- google-public-dns-a.google.com anywhere udp spt:domain 
68 ACCEPT tcp -- google-public-dns-a.google.com anywhere tcp spt:domain 
69 ACCEPT tcp -- anywhere anywhere tcp dpt:22022 
70 ACCEPT udp -- anywhere anywhere udp dpt:22022 
71 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED 
72 LOG all -- anywhere anywhere limit: avg 1/sec burst 5 LOG level warning prefix `LOG_INPUT: ' 
73 DROP all -- anywhere anywhere 
74 ACCEPT tcp -- anywhere anywhere tcp dpt:mysql 
75 ACCEPT tcp -- anywhere anywhere tcp dpt:mysql 
76 ACCEPT tcp -- vps.retireja.com.br anywhere tcp dpt:mysql 
77 ACCEPT tcp -- vps.retireja.com.br anywhere tcp dpt:mysql 

Chain FORWARD (policy ACCEPT)
num target prot opt source destination 
1 tcpchk tcp -- anywhere anywhere 
2 udpchk udp -- anywhere anywhere 
3 icmpchk icmp -- anywhere anywhere 

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination 
1 cpanel-dovecot-solr all -- anywhere anywhere 
2 acctboth all -- anywhere anywhere 
3 tcpchk tcp -- anywhere anywhere 
4 udpchk udp -- anywhere anywhere 
5 icmpchk icmp -- anywhere anywhere 
6 output_custom all -- anywhere anywhere 
7 ACCEPT all -- anywhere anywhere 
8 ACCEPT icmp -- anywhere anywhere state NEW,ESTABLISHED 
9 ACCEPT icmp -- anywhere server.thenarcissistswife.com icmp echo-reply 
10 ACCEPT icmp -- anywhere 54.e2.adb8.ip4.static.sl-reverse.com icmp echo-reply 
11 ACCEPT icmp -- anywhere 32.e0.acb8.ip4.static.sl-reverse.com icmp echo-reply 
12 ACCEPT udp -- anywhere anywhere udp dpt:saphostctrls 
13 ACCEPT tcp -- anywhere anywhere tcp dpt:saphostctrls 
14 ACCEPT udp -- anywhere anywhere udp dpt:30000 
15 ACCEPT tcp -- anywhere anywhere tcp dpt:30000 
16 ACCEPT udp -- anywhere anywhere udp dpt:pop3 
17 ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 
18 ACCEPT udp -- anywhere anywhere udp dpt:nicname 
19 ACCEPT tcp -- anywhere anywhere tcp dpt:nicname 
20 ACCEPT tcp -- anywhere anywhere tcp dpt:rsync 
21 ACCEPT udp -- anywhere anywhere owner UID match root 
22 ACCEPT icmp -- anywhere anywhere 
23 ACCEPT all -- anywhere anywhere 
24 ACCEPT tcp -- anywhere anywhere tcp dpt:ftp 
25 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh 
26 ACCEPT tcp -- anywhere gateway07.websitewelcome.com tcp dpt:smtp 
27 ACCEPT tcp -- anywhere gateway03.websitewelcome.com tcp dpt:smtp 
28 ACCEPT tcp -- anywhere gateway04.websitewelcome.com tcp dpt:smtp 
29 ACCEPT tcp -- anywhere gateway05.websitewelcome.com tcp dpt:smtp 
30 ACCEPT tcp -- anywhere gateway06.websitewelcome.com tcp dpt:smtp 
31 ACCEPT tcp -- anywhere gateway09.websitewelcome.com tcp dpt:smtp 
32 ACCEPT tcp -- anywhere gateway10.websitewelcome.com tcp dpt:smtp 
33 ACCEPT tcp -- anywhere gateway11.websitewelcome.com tcp dpt:smtp 
34 ACCEPT tcp -- anywhere gateway12.websitewelcome.com tcp dpt:smtp 
35 ACCEPT tcp -- anywhere gateway13.websitewelcome.com tcp dpt:smtp 
36 ACCEPT tcp -- anywhere gateway14.websitewelcome.com tcp dpt:smtp 
37 ACCEPT tcp -- anywhere gateway15.websitewelcome.com tcp dpt:smtp 
38 ACCEPT tcp -- anywhere gateway16.websitewelcome.com tcp dpt:smtp 
39 ACCEPT tcp -- anywhere gateway02.websitewelcome.com tcp dpt:smtp 
40 ACCEPT tcp -- anywhere gateway01.websitewelcome.com tcp dpt:smtp 
41 ACCEPT tcp -- anywhere gateway08.websitewelcome.com tcp dpt:smtp 
42 ACCEPT tcp -- anywhere anywhere tcp dpt:smtp owner UID match mailnull 
43 LOG tcp -- anywhere anywhere ! owner UID match root multiport dports smtp,urd,submission limit: avg 1/sec burst 5 LOG level notice prefix `OUTBOUND-SMTP : ' 
44 ACCEPT udp -- anywhere anywhere udp dpt:domain ! owner UID match nobody 
45 ACCEPT tcp -- anywhere anywhere tcp dpt:domain ! owner UID match nobody 
46 ACCEPT udp -- anywhere google-public-dns-b.google.com udp dpt:domain 
47 ACCEPT tcp -- anywhere google-public-dns-b.google.com tcp dpt:domain 
48 ACCEPT udp -- anywhere google-public-dns-a.google.com udp dpt:domain 
49 ACCEPT tcp -- anywhere google-public-dns-a.google.com tcp dpt:domain 
50 ACCEPT udp -- anywhere anywhere udp dpt:domain owner UID match nobody limit: avg 20/sec burst 5 
51 ACCEPT tcp -- anywhere anywhere tcp dpt:domain owner UID match nobody limit: avg 20/sec burst 5 
52 ACCEPT tcp -- anywhere anywhere tcp dpt:http 
53 ACCEPT tcp -- anywhere anywhere tcp dpt:https 
54 ACCEPT tcp -- anywhere anywhere tcp dpt:urd 
55 ACCEPT tcp -- anywhere anywhere tcp dpt:submission 
56 ACCEPT tcp -- anywhere anywhere tcp dpt:gnunet 
57 ACCEPT tcp -- anywhere anywhere tcp dpt:eli 
58 ACCEPT tcp -- anywhere anywhere tcp dpt:sep 
59 ACCEPT tcp -- anywhere anywhere tcp dpt:mysql 
60 ACCEPT tcp -- anywhere anywhere tcp dpt:time 
61 ACCEPT tcp -- anywhere anywhere tcp dpt:sms-chat 
62 ACCEPT tcp -- anywhere anywhere tcp spt:domain 
63 ACCEPT tcp -- anywhere anywhere tcp spt:ftp 
64 ACCEPT tcp -- anywhere anywhere tcp spt:ssh 
65 ACCEPT tcp -- anywhere anywhere tcp spt:22022 
66 ACCEPT tcp -- anywhere anywhere tcp spt:smtp 
67 ACCEPT tcp -- anywhere anywhere tcp spt:26 
68 ACCEPT udp -- anywhere anywhere udp spt:domain 
69 ACCEPT tcp -- anywhere anywhere tcp spt:http 
70 ACCEPT tcp -- anywhere anywhere tcp spt:pop3 
71 ACCEPT tcp -- anywhere anywhere tcp spt:imap 
72 ACCEPT tcp -- anywhere anywhere tcp spt:https 
73 ACCEPT tcp -- anywhere anywhere tcp spt:urd 
74 ACCEPT tcp -- anywhere anywhere tcp spt:submission 
75 ACCEPT tcp -- anywhere anywhere tcp spt:infowave 
76 ACCEPT tcp -- anywhere anywhere tcp spt:radsec 
77 ACCEPT tcp -- anywhere anywhere tcp spt:sunclustergeo 
78 ACCEPT tcp -- anywhere anywhere tcp spt:gnunet 
79 ACCEPT tcp -- anywhere anywhere tcp spt:eli 
80 ACCEPT tcp -- anywhere anywhere tcp spt:sep 
81 ACCEPT tcp -- anywhere anywhere tcp spt:EtherNet/IP-1 
82 ACCEPT tcp -- anywhere anywhere tcp spt:nbx-ser 
83 ACCEPT tcp -- anywhere anywhere tcp spt:nbx-dir 
84 ACCEPT tcp -- anywhere anywhere tcp spt:imaps 
85 ACCEPT tcp -- anywhere anywhere tcp spt:pop3s 
86 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED 
87 LOG all -- anywhere anywhere limit: avg 1/sec burst 5 LOG level warning prefix `LOG_OUTPUT: ' 
88 DROP all -- anywhere anywhere 
89 ACCEPT tcp -- anywhere anywhere tcp spt:mysql 

Chain acctboth (2 references)
num target prot opt source destination 

Chain cpanel-dovecot-solr (1 references)
num target prot opt source destination 
1 ACCEPT tcp -- anywhere anywhere multiport sports 8984,7984 owner UID match cpanelsolr 
2 ACCEPT tcp -- anywhere anywhere multiport sports 8984,7984 owner UID match root 
3 REJECT tcp -- anywhere anywhere multiport sports 8984,7984 reject-with icmp-port-unreachable 

Chain icmpchk (3 references)
num target prot opt source destination 

Chain input_custom (1 references)
num target prot opt source destination 

Chain ipdrop_global (1 references)
num target prot opt source destination 
1 DROP all -- 43.255.190.0/23 anywhere 

Chain output_custom (1 references)
num target prot opt source destination 

Chain ssh (1 references)
num target prot opt source destination 
1 ACCEPT all -- supra.websitewelcome.com anywhere 
2 ACCEPT all -- wizard2.hostgator.com anywhere 
3 ACCEPT all -- wizard-backup.hostgator.com anywhere 
4 ACCEPT all -- 216-106-185-169.ds1-static.mia1.net.ststelecom.com anywhere 
5 ACCEPT all -- 12.96.160.0/24 anywhere 
6 ACCEPT all -- 216.19.0.0/24 anywhere 
7 tcp -- anywhere anywhere state NEW recent: SET name: DEFAULT side: source 
8 LOG tcp -- anywhere anywhere state NEW recent: CHECK seconds: 60 hit_count: 10 name: DEFAULT side: source limit: avg 10/min burst 5 LOG level notice prefix `SSH-ATTACK : ' 
9 REJECT tcp -- anywhere anywhere state NEW recent: UPDATE seconds: 60 hit_count: 10 name: DEFAULT side: source reject-with tcp-reset 
10 ACCEPT tcp -- anywhere anywhere 

Chain tcpchk (3 references)
num target prot opt source destination 

Chain udpchk (3 references)
num target prot opt source destination



centos iptables mysql




share|improve this question


























    up vote
    1
    down vote

    favorite












    I'm trying to set my server (CentOS 6.9) to accept remote MySQl connections and I'm stuck on the firewall config.



    I have everything set right on the MySQL side; I can connect through telnet if I stop iptables, but not when it's active.



    I've already tried:



    -A INPUT -i lo -p tcp -m tcp --dport 3306 -j ACCEPT 
    -A INPUT -i eth0 -p tcp -m tcp --dport 3306 -j ACCEPT 
    -A OUTPUT -p tcp -m tcp --dport 3306 -j ACCEPT


    But still I get "connection refused" with iptables active. What am I doing wrong?



    EDIT: output of iptables -L --line-numbers



    Chain INPUT (policy ACCEPT)
    num target prot opt source destination 
    1 ACCEPT tcp -- anywhere anywhere tcp dpt:mysql 
    2 acctboth all -- anywhere anywhere 
    3 tcpchk tcp -- anywhere anywhere 
    4 udpchk udp -- anywhere anywhere 
    5 icmpchk icmp -- anywhere anywhere 
    6 ipdrop_global all -- anywhere anywhere 
    7 input_custom all -- anywhere anywhere 
    8 ACCEPT all -- anywhere anywhere 
    9 ssh tcp -- anywhere anywhere state NEW tcp dpt:22022 
    10 ACCEPT icmp -- anywhere anywhere icmp echo-request limit: up to 2/sec burst 10 mode srcip 
    11 LOG icmp -- anywhere anywhere icmp echo-request limit: avg 5/min burst 5 LOG level error prefix `ICMP_DROP ' 
    12 DROP icmp -- anywhere anywhere icmp echo-request 
    13 ACCEPT icmp -- anywhere anywhere icmp echo-reply 
    14 ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed 
    15 ACCEPT icmp -- anywhere anywhere icmp port-unreachable 
    16 ACCEPT icmp -- anywhere anywhere icmp host-unreachable 
    17 ACCEPT icmp -- anywhere anywhere icmp time-exceeded 
    18 ACCEPT icmp -- anywhere anywhere icmp parameter-problem 
    19 ACCEPT icmp -- anywhere anywhere icmp type 30 
    20 ACCEPT icmp -- anywhere anywhere state ESTABLISHED 
    21 ACCEPT tcp -- 103.21.244.0/22 anywhere tcp dpt:http 
    22 ACCEPT tcp -- 103.22.200.0/22 anywhere tcp dpt:http 
    23 ACCEPT tcp -- 103.31.4.0/22 anywhere tcp dpt:http 
    24 ACCEPT tcp -- 104.16.0.0/12 anywhere tcp dpt:http 
    25 ACCEPT tcp -- 108.162.192.0/18 anywhere tcp dpt:http 
    26 ACCEPT tcp -- 131.0.72.0/22 anywhere tcp dpt:http 
    27 ACCEPT tcp -- 141.101.64.0/18 anywhere tcp dpt:http 
    28 ACCEPT tcp -- 162.158.0.0/15 anywhere tcp dpt:http 
    29 ACCEPT tcp -- 172.64.0.0/13 anywhere tcp dpt:http 
    30 ACCEPT tcp -- 173.245.48.0/20 anywhere tcp dpt:http 
    31 ACCEPT tcp -- 188.114.96.0/20 anywhere tcp dpt:http 
    32 ACCEPT tcp -- 190.93.240.0/20 anywhere tcp dpt:http 
    33 ACCEPT tcp -- 197.234.240.0/22 anywhere tcp dpt:http 
    34 ACCEPT tcp -- 198.41.128.0/17 anywhere tcp dpt:http 
    35 ACCEPT tcp -- vps.retireja.com.br anywhere tcp dpt:http 
    36 ACCEPT tcp -- server.thenarcissistswife.com anywhere multiport dports ssh,http 
    37 ACCEPT icmp -- server.thenarcissistswife.com anywhere icmp echo-request 
    38 ACCEPT tcp -- 54.e2.adb8.ip4.static.sl-reverse.com anywhere multiport dports ssh,http 
    39 ACCEPT icmp -- 54.e2.adb8.ip4.static.sl-reverse.com anywhere icmp echo-request 
    40 ACCEPT tcp -- 32.e0.acb8.ip4.static.sl-reverse.com anywhere multiport dports ssh,http 
    41 ACCEPT icmp -- 32.e0.acb8.ip4.static.sl-reverse.com anywhere icmp echo-request 
    42 ACCEPT tcp -- anywhere anywhere tcp dpt:domain 
    43 ACCEPT tcp -- anywhere anywhere tcp dpt:ftp 
    44 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh 
    45 ACCEPT tcp -- anywhere anywhere tcp dpt:smtp 
    46 ACCEPT tcp -- anywhere anywhere tcp dpt:26 
    47 ACCEPT udp -- anywhere anywhere udp dpt:domain 
    48 ACCEPT tcp -- anywhere anywhere tcp dpt:http 
    49 ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 
    50 ACCEPT tcp -- anywhere anywhere tcp dpt:imap 
    51 ACCEPT tcp -- anywhere anywhere tcp dpt:https 
    52 ACCEPT tcp -- anywhere anywhere tcp dpt:urd 
    53 ACCEPT tcp -- anywhere anywhere tcp dpt:submission 
    54 ACCEPT tcp -- anywhere anywhere tcp dpt:infowave 
    55 ACCEPT tcp -- anywhere anywhere tcp dpt:radsec 
    56 ACCEPT tcp -- anywhere anywhere tcp dpt:sunclustergeo 
    57 ACCEPT tcp -- anywhere anywhere tcp dpt:gnunet 
    58 ACCEPT tcp -- anywhere anywhere tcp dpt:eli 
    59 ACCEPT tcp -- anywhere anywhere tcp dpt:sep 
    60 ACCEPT tcp -- anywhere anywhere tcp dpt:EtherNet/IP-1 
    61 ACCEPT tcp -- anywhere anywhere tcp dpt:nbx-ser 
    62 ACCEPT tcp -- anywhere anywhere tcp dpt:nbx-dir 
    63 ACCEPT tcp -- anywhere anywhere tcp dpt:imaps 
    64 ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s 
    65 ACCEPT udp -- google-public-dns-b.google.com anywhere udp spt:domain 
    66 ACCEPT tcp -- google-public-dns-b.google.com anywhere tcp spt:domain 
    67 ACCEPT udp -- google-public-dns-a.google.com anywhere udp spt:domain 
    68 ACCEPT tcp -- google-public-dns-a.google.com anywhere tcp spt:domain 
    69 ACCEPT tcp -- anywhere anywhere tcp dpt:22022 
    70 ACCEPT udp -- anywhere anywhere udp dpt:22022 
    71 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED 
    72 LOG all -- anywhere anywhere limit: avg 1/sec burst 5 LOG level warning prefix `LOG_INPUT: ' 
    73 DROP all -- anywhere anywhere 
    74 ACCEPT tcp -- anywhere anywhere tcp dpt:mysql 
    75 ACCEPT tcp -- anywhere anywhere tcp dpt:mysql 
    76 ACCEPT tcp -- vps.retireja.com.br anywhere tcp dpt:mysql 
    77 ACCEPT tcp -- vps.retireja.com.br anywhere tcp dpt:mysql 

    Chain FORWARD (policy ACCEPT)
    num target prot opt source destination 
    1 tcpchk tcp -- anywhere anywhere 
    2 udpchk udp -- anywhere anywhere 
    3 icmpchk icmp -- anywhere anywhere 

    Chain OUTPUT (policy ACCEPT)
    num target prot opt source destination 
    1 cpanel-dovecot-solr all -- anywhere anywhere 
    2 acctboth all -- anywhere anywhere 
    3 tcpchk tcp -- anywhere anywhere 
    4 udpchk udp -- anywhere anywhere 
    5 icmpchk icmp -- anywhere anywhere 
    6 output_custom all -- anywhere anywhere 
    7 ACCEPT all -- anywhere anywhere 
    8 ACCEPT icmp -- anywhere anywhere state NEW,ESTABLISHED 
    9 ACCEPT icmp -- anywhere server.thenarcissistswife.com icmp echo-reply 
    10 ACCEPT icmp -- anywhere 54.e2.adb8.ip4.static.sl-reverse.com icmp echo-reply 
    11 ACCEPT icmp -- anywhere 32.e0.acb8.ip4.static.sl-reverse.com icmp echo-reply 
    12 ACCEPT udp -- anywhere anywhere udp dpt:saphostctrls 
    13 ACCEPT tcp -- anywhere anywhere tcp dpt:saphostctrls 
    14 ACCEPT udp -- anywhere anywhere udp dpt:30000 
    15 ACCEPT tcp -- anywhere anywhere tcp dpt:30000 
    16 ACCEPT udp -- anywhere anywhere udp dpt:pop3 
    17 ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 
    18 ACCEPT udp -- anywhere anywhere udp dpt:nicname 
    19 ACCEPT tcp -- anywhere anywhere tcp dpt:nicname 
    20 ACCEPT tcp -- anywhere anywhere tcp dpt:rsync 
    21 ACCEPT udp -- anywhere anywhere owner UID match root 
    22 ACCEPT icmp -- anywhere anywhere 
    23 ACCEPT all -- anywhere anywhere 
    24 ACCEPT tcp -- anywhere anywhere tcp dpt:ftp 
    25 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh 
    26 ACCEPT tcp -- anywhere gateway07.websitewelcome.com tcp dpt:smtp 
    27 ACCEPT tcp -- anywhere gateway03.websitewelcome.com tcp dpt:smtp 
    28 ACCEPT tcp -- anywhere gateway04.websitewelcome.com tcp dpt:smtp 
    29 ACCEPT tcp -- anywhere gateway05.websitewelcome.com tcp dpt:smtp 
    30 ACCEPT tcp -- anywhere gateway06.websitewelcome.com tcp dpt:smtp 
    31 ACCEPT tcp -- anywhere gateway09.websitewelcome.com tcp dpt:smtp 
    32 ACCEPT tcp -- anywhere gateway10.websitewelcome.com tcp dpt:smtp 
    33 ACCEPT tcp -- anywhere gateway11.websitewelcome.com tcp dpt:smtp 
    34 ACCEPT tcp -- anywhere gateway12.websitewelcome.com tcp dpt:smtp 
    35 ACCEPT tcp -- anywhere gateway13.websitewelcome.com tcp dpt:smtp 
    36 ACCEPT tcp -- anywhere gateway14.websitewelcome.com tcp dpt:smtp 
    37 ACCEPT tcp -- anywhere gateway15.websitewelcome.com tcp dpt:smtp 
    38 ACCEPT tcp -- anywhere gateway16.websitewelcome.com tcp dpt:smtp 
    39 ACCEPT tcp -- anywhere gateway02.websitewelcome.com tcp dpt:smtp 
    40 ACCEPT tcp -- anywhere gateway01.websitewelcome.com tcp dpt:smtp 
    41 ACCEPT tcp -- anywhere gateway08.websitewelcome.com tcp dpt:smtp 
    42 ACCEPT tcp -- anywhere anywhere tcp dpt:smtp owner UID match mailnull 
    43 LOG tcp -- anywhere anywhere ! owner UID match root multiport dports smtp,urd,submission limit: avg 1/sec burst 5 LOG level notice prefix `OUTBOUND-SMTP : ' 
    44 ACCEPT udp -- anywhere anywhere udp dpt:domain ! owner UID match nobody 
    45 ACCEPT tcp -- anywhere anywhere tcp dpt:domain ! owner UID match nobody 
    46 ACCEPT udp -- anywhere google-public-dns-b.google.com udp dpt:domain 
    47 ACCEPT tcp -- anywhere google-public-dns-b.google.com tcp dpt:domain 
    48 ACCEPT udp -- anywhere google-public-dns-a.google.com udp dpt:domain 
    49 ACCEPT tcp -- anywhere google-public-dns-a.google.com tcp dpt:domain 
    50 ACCEPT udp -- anywhere anywhere udp dpt:domain owner UID match nobody limit: avg 20/sec burst 5 
    51 ACCEPT tcp -- anywhere anywhere tcp dpt:domain owner UID match nobody limit: avg 20/sec burst 5 
    52 ACCEPT tcp -- anywhere anywhere tcp dpt:http 
    53 ACCEPT tcp -- anywhere anywhere tcp dpt:https 
    54 ACCEPT tcp -- anywhere anywhere tcp dpt:urd 
    55 ACCEPT tcp -- anywhere anywhere tcp dpt:submission 
    56 ACCEPT tcp -- anywhere anywhere tcp dpt:gnunet 
    57 ACCEPT tcp -- anywhere anywhere tcp dpt:eli 
    58 ACCEPT tcp -- anywhere anywhere tcp dpt:sep 
    59 ACCEPT tcp -- anywhere anywhere tcp dpt:mysql 
    60 ACCEPT tcp -- anywhere anywhere tcp dpt:time 
    61 ACCEPT tcp -- anywhere anywhere tcp dpt:sms-chat 
    62 ACCEPT tcp -- anywhere anywhere tcp spt:domain 
    63 ACCEPT tcp -- anywhere anywhere tcp spt:ftp 
    64 ACCEPT tcp -- anywhere anywhere tcp spt:ssh 
    65 ACCEPT tcp -- anywhere anywhere tcp spt:22022 
    66 ACCEPT tcp -- anywhere anywhere tcp spt:smtp 
    67 ACCEPT tcp -- anywhere anywhere tcp spt:26 
    68 ACCEPT udp -- anywhere anywhere udp spt:domain 
    69 ACCEPT tcp -- anywhere anywhere tcp spt:http 
    70 ACCEPT tcp -- anywhere anywhere tcp spt:pop3 
    71 ACCEPT tcp -- anywhere anywhere tcp spt:imap 
    72 ACCEPT tcp -- anywhere anywhere tcp spt:https 
    73 ACCEPT tcp -- anywhere anywhere tcp spt:urd 
    74 ACCEPT tcp -- anywhere anywhere tcp spt:submission 
    75 ACCEPT tcp -- anywhere anywhere tcp spt:infowave 
    76 ACCEPT tcp -- anywhere anywhere tcp spt:radsec 
    77 ACCEPT tcp -- anywhere anywhere tcp spt:sunclustergeo 
    78 ACCEPT tcp -- anywhere anywhere tcp spt:gnunet 
    79 ACCEPT tcp -- anywhere anywhere tcp spt:eli 
    80 ACCEPT tcp -- anywhere anywhere tcp spt:sep 
    81 ACCEPT tcp -- anywhere anywhere tcp spt:EtherNet/IP-1 
    82 ACCEPT tcp -- anywhere anywhere tcp spt:nbx-ser 
    83 ACCEPT tcp -- anywhere anywhere tcp spt:nbx-dir 
    84 ACCEPT tcp -- anywhere anywhere tcp spt:imaps 
    85 ACCEPT tcp -- anywhere anywhere tcp spt:pop3s 
    86 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED 
    87 LOG all -- anywhere anywhere limit: avg 1/sec burst 5 LOG level warning prefix `LOG_OUTPUT: ' 
    88 DROP all -- anywhere anywhere 
    89 ACCEPT tcp -- anywhere anywhere tcp spt:mysql 

    Chain acctboth (2 references)
    num target prot opt source destination 

    Chain cpanel-dovecot-solr (1 references)
    num target prot opt source destination 
    1 ACCEPT tcp -- anywhere anywhere multiport sports 8984,7984 owner UID match cpanelsolr 
    2 ACCEPT tcp -- anywhere anywhere multiport sports 8984,7984 owner UID match root 
    3 REJECT tcp -- anywhere anywhere multiport sports 8984,7984 reject-with icmp-port-unreachable 

    Chain icmpchk (3 references)
    num target prot opt source destination 

    Chain input_custom (1 references)
    num target prot opt source destination 

    Chain ipdrop_global (1 references)
    num target prot opt source destination 
    1 DROP all -- 43.255.190.0/23 anywhere 

    Chain output_custom (1 references)
    num target prot opt source destination 

    Chain ssh (1 references)
    num target prot opt source destination 
    1 ACCEPT all -- supra.websitewelcome.com anywhere 
    2 ACCEPT all -- wizard2.hostgator.com anywhere 
    3 ACCEPT all -- wizard-backup.hostgator.com anywhere 
    4 ACCEPT all -- 216-106-185-169.ds1-static.mia1.net.ststelecom.com anywhere 
    5 ACCEPT all -- 12.96.160.0/24 anywhere 
    6 ACCEPT all -- 216.19.0.0/24 anywhere 
    7 tcp -- anywhere anywhere state NEW recent: SET name: DEFAULT side: source 
    8 LOG tcp -- anywhere anywhere state NEW recent: CHECK seconds: 60 hit_count: 10 name: DEFAULT side: source limit: avg 10/min burst 5 LOG level notice prefix `SSH-ATTACK : ' 
    9 REJECT tcp -- anywhere anywhere state NEW recent: UPDATE seconds: 60 hit_count: 10 name: DEFAULT side: source reject-with tcp-reset 
    10 ACCEPT tcp -- anywhere anywhere 

    Chain tcpchk (3 references)
    num target prot opt source destination 

    Chain udpchk (3 references)
    num target prot opt source destination



    centos iptables mysql




    share|improve this question
























      up vote
      1
      down vote

      favorite









      up vote
      1
      down vote

      favorite











      I'm trying to set my server (CentOS 6.9) to accept remote MySQl connections and I'm stuck on the firewall config.



      I have everything set right on the MySQL side; I can connect through telnet if I stop iptables, but not when it's active.



      I've already tried:



      -A INPUT -i lo -p tcp -m tcp --dport 3306 -j ACCEPT 
      -A INPUT -i eth0 -p tcp -m tcp --dport 3306 -j ACCEPT 
      -A OUTPUT -p tcp -m tcp --dport 3306 -j ACCEPT


      But still I get "connection refused" with iptables active. What am I doing wrong?



      EDIT: output of iptables -L --line-numbers



      Chain INPUT (policy ACCEPT)
      num target prot opt source destination 
      1 ACCEPT tcp -- anywhere anywhere tcp dpt:mysql 
      2 acctboth all -- anywhere anywhere 
      3 tcpchk tcp -- anywhere anywhere 
      4 udpchk udp -- anywhere anywhere 
      5 icmpchk icmp -- anywhere anywhere 
      6 ipdrop_global all -- anywhere anywhere 
      7 input_custom all -- anywhere anywhere 
      8 ACCEPT all -- anywhere anywhere 
      9 ssh tcp -- anywhere anywhere state NEW tcp dpt:22022 
      10 ACCEPT icmp -- anywhere anywhere icmp echo-request limit: up to 2/sec burst 10 mode srcip 
      11 LOG icmp -- anywhere anywhere icmp echo-request limit: avg 5/min burst 5 LOG level error prefix `ICMP_DROP ' 
      12 DROP icmp -- anywhere anywhere icmp echo-request 
      13 ACCEPT icmp -- anywhere anywhere icmp echo-reply 
      14 ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed 
      15 ACCEPT icmp -- anywhere anywhere icmp port-unreachable 
      16 ACCEPT icmp -- anywhere anywhere icmp host-unreachable 
      17 ACCEPT icmp -- anywhere anywhere icmp time-exceeded 
      18 ACCEPT icmp -- anywhere anywhere icmp parameter-problem 
      19 ACCEPT icmp -- anywhere anywhere icmp type 30 
      20 ACCEPT icmp -- anywhere anywhere state ESTABLISHED 
      21 ACCEPT tcp -- 103.21.244.0/22 anywhere tcp dpt:http 
      22 ACCEPT tcp -- 103.22.200.0/22 anywhere tcp dpt:http 
      23 ACCEPT tcp -- 103.31.4.0/22 anywhere tcp dpt:http 
      24 ACCEPT tcp -- 104.16.0.0/12 anywhere tcp dpt:http 
      25 ACCEPT tcp -- 108.162.192.0/18 anywhere tcp dpt:http 
      26 ACCEPT tcp -- 131.0.72.0/22 anywhere tcp dpt:http 
      27 ACCEPT tcp -- 141.101.64.0/18 anywhere tcp dpt:http 
      28 ACCEPT tcp -- 162.158.0.0/15 anywhere tcp dpt:http 
      29 ACCEPT tcp -- 172.64.0.0/13 anywhere tcp dpt:http 
      30 ACCEPT tcp -- 173.245.48.0/20 anywhere tcp dpt:http 
      31 ACCEPT tcp -- 188.114.96.0/20 anywhere tcp dpt:http 
      32 ACCEPT tcp -- 190.93.240.0/20 anywhere tcp dpt:http 
      33 ACCEPT tcp -- 197.234.240.0/22 anywhere tcp dpt:http 
      34 ACCEPT tcp -- 198.41.128.0/17 anywhere tcp dpt:http 
      35 ACCEPT tcp -- vps.retireja.com.br anywhere tcp dpt:http 
      36 ACCEPT tcp -- server.thenarcissistswife.com anywhere multiport dports ssh,http 
      37 ACCEPT icmp -- server.thenarcissistswife.com anywhere icmp echo-request 
      38 ACCEPT tcp -- 54.e2.adb8.ip4.static.sl-reverse.com anywhere multiport dports ssh,http 
      39 ACCEPT icmp -- 54.e2.adb8.ip4.static.sl-reverse.com anywhere icmp echo-request 
      40 ACCEPT tcp -- 32.e0.acb8.ip4.static.sl-reverse.com anywhere multiport dports ssh,http 
      41 ACCEPT icmp -- 32.e0.acb8.ip4.static.sl-reverse.com anywhere icmp echo-request 
      42 ACCEPT tcp -- anywhere anywhere tcp dpt:domain 
      43 ACCEPT tcp -- anywhere anywhere tcp dpt:ftp 
      44 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh 
      45 ACCEPT tcp -- anywhere anywhere tcp dpt:smtp 
      46 ACCEPT tcp -- anywhere anywhere tcp dpt:26 
      47 ACCEPT udp -- anywhere anywhere udp dpt:domain 
      48 ACCEPT tcp -- anywhere anywhere tcp dpt:http 
      49 ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 
      50 ACCEPT tcp -- anywhere anywhere tcp dpt:imap 
      51 ACCEPT tcp -- anywhere anywhere tcp dpt:https 
      52 ACCEPT tcp -- anywhere anywhere tcp dpt:urd 
      53 ACCEPT tcp -- anywhere anywhere tcp dpt:submission 
      54 ACCEPT tcp -- anywhere anywhere tcp dpt:infowave 
      55 ACCEPT tcp -- anywhere anywhere tcp dpt:radsec 
      56 ACCEPT tcp -- anywhere anywhere tcp dpt:sunclustergeo 
      57 ACCEPT tcp -- anywhere anywhere tcp dpt:gnunet 
      58 ACCEPT tcp -- anywhere anywhere tcp dpt:eli 
      59 ACCEPT tcp -- anywhere anywhere tcp dpt:sep 
      60 ACCEPT tcp -- anywhere anywhere tcp dpt:EtherNet/IP-1 
      61 ACCEPT tcp -- anywhere anywhere tcp dpt:nbx-ser 
      62 ACCEPT tcp -- anywhere anywhere tcp dpt:nbx-dir 
      63 ACCEPT tcp -- anywhere anywhere tcp dpt:imaps 
      64 ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s 
      65 ACCEPT udp -- google-public-dns-b.google.com anywhere udp spt:domain 
      66 ACCEPT tcp -- google-public-dns-b.google.com anywhere tcp spt:domain 
      67 ACCEPT udp -- google-public-dns-a.google.com anywhere udp spt:domain 
      68 ACCEPT tcp -- google-public-dns-a.google.com anywhere tcp spt:domain 
      69 ACCEPT tcp -- anywhere anywhere tcp dpt:22022 
      70 ACCEPT udp -- anywhere anywhere udp dpt:22022 
      71 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED 
      72 LOG all -- anywhere anywhere limit: avg 1/sec burst 5 LOG level warning prefix `LOG_INPUT: ' 
      73 DROP all -- anywhere anywhere 
      74 ACCEPT tcp -- anywhere anywhere tcp dpt:mysql 
      75 ACCEPT tcp -- anywhere anywhere tcp dpt:mysql 
      76 ACCEPT tcp -- vps.retireja.com.br anywhere tcp dpt:mysql 
      77 ACCEPT tcp -- vps.retireja.com.br anywhere tcp dpt:mysql 

      Chain FORWARD (policy ACCEPT)
      num target prot opt source destination 
      1 tcpchk tcp -- anywhere anywhere 
      2 udpchk udp -- anywhere anywhere 
      3 icmpchk icmp -- anywhere anywhere 

      Chain OUTPUT (policy ACCEPT)
      num target prot opt source destination 
      1 cpanel-dovecot-solr all -- anywhere anywhere 
      2 acctboth all -- anywhere anywhere 
      3 tcpchk tcp -- anywhere anywhere 
      4 udpchk udp -- anywhere anywhere 
      5 icmpchk icmp -- anywhere anywhere 
      6 output_custom all -- anywhere anywhere 
      7 ACCEPT all -- anywhere anywhere 
      8 ACCEPT icmp -- anywhere anywhere state NEW,ESTABLISHED 
      9 ACCEPT icmp -- anywhere server.thenarcissistswife.com icmp echo-reply 
      10 ACCEPT icmp -- anywhere 54.e2.adb8.ip4.static.sl-reverse.com icmp echo-reply 
      11 ACCEPT icmp -- anywhere 32.e0.acb8.ip4.static.sl-reverse.com icmp echo-reply 
      12 ACCEPT udp -- anywhere anywhere udp dpt:saphostctrls 
      13 ACCEPT tcp -- anywhere anywhere tcp dpt:saphostctrls 
      14 ACCEPT udp -- anywhere anywhere udp dpt:30000 
      15 ACCEPT tcp -- anywhere anywhere tcp dpt:30000 
      16 ACCEPT udp -- anywhere anywhere udp dpt:pop3 
      17 ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 
      18 ACCEPT udp -- anywhere anywhere udp dpt:nicname 
      19 ACCEPT tcp -- anywhere anywhere tcp dpt:nicname 
      20 ACCEPT tcp -- anywhere anywhere tcp dpt:rsync 
      21 ACCEPT udp -- anywhere anywhere owner UID match root 
      22 ACCEPT icmp -- anywhere anywhere 
      23 ACCEPT all -- anywhere anywhere 
      24 ACCEPT tcp -- anywhere anywhere tcp dpt:ftp 
      25 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh 
      26 ACCEPT tcp -- anywhere gateway07.websitewelcome.com tcp dpt:smtp 
      27 ACCEPT tcp -- anywhere gateway03.websitewelcome.com tcp dpt:smtp 
      28 ACCEPT tcp -- anywhere gateway04.websitewelcome.com tcp dpt:smtp 
      29 ACCEPT tcp -- anywhere gateway05.websitewelcome.com tcp dpt:smtp 
      30 ACCEPT tcp -- anywhere gateway06.websitewelcome.com tcp dpt:smtp 
      31 ACCEPT tcp -- anywhere gateway09.websitewelcome.com tcp dpt:smtp 
      32 ACCEPT tcp -- anywhere gateway10.websitewelcome.com tcp dpt:smtp 
      33 ACCEPT tcp -- anywhere gateway11.websitewelcome.com tcp dpt:smtp 
      34 ACCEPT tcp -- anywhere gateway12.websitewelcome.com tcp dpt:smtp 
      35 ACCEPT tcp -- anywhere gateway13.websitewelcome.com tcp dpt:smtp 
      36 ACCEPT tcp -- anywhere gateway14.websitewelcome.com tcp dpt:smtp 
      37 ACCEPT tcp -- anywhere gateway15.websitewelcome.com tcp dpt:smtp 
      38 ACCEPT tcp -- anywhere gateway16.websitewelcome.com tcp dpt:smtp 
      39 ACCEPT tcp -- anywhere gateway02.websitewelcome.com tcp dpt:smtp 
      40 ACCEPT tcp -- anywhere gateway01.websitewelcome.com tcp dpt:smtp 
      41 ACCEPT tcp -- anywhere gateway08.websitewelcome.com tcp dpt:smtp 
      42 ACCEPT tcp -- anywhere anywhere tcp dpt:smtp owner UID match mailnull 
      43 LOG tcp -- anywhere anywhere ! owner UID match root multiport dports smtp,urd,submission limit: avg 1/sec burst 5 LOG level notice prefix `OUTBOUND-SMTP : ' 
      44 ACCEPT udp -- anywhere anywhere udp dpt:domain ! owner UID match nobody 
      45 ACCEPT tcp -- anywhere anywhere tcp dpt:domain ! owner UID match nobody 
      46 ACCEPT udp -- anywhere google-public-dns-b.google.com udp dpt:domain 
      47 ACCEPT tcp -- anywhere google-public-dns-b.google.com tcp dpt:domain 
      48 ACCEPT udp -- anywhere google-public-dns-a.google.com udp dpt:domain 
      49 ACCEPT tcp -- anywhere google-public-dns-a.google.com tcp dpt:domain 
      50 ACCEPT udp -- anywhere anywhere udp dpt:domain owner UID match nobody limit: avg 20/sec burst 5 
      51 ACCEPT tcp -- anywhere anywhere tcp dpt:domain owner UID match nobody limit: avg 20/sec burst 5 
      52 ACCEPT tcp -- anywhere anywhere tcp dpt:http 
      53 ACCEPT tcp -- anywhere anywhere tcp dpt:https 
      54 ACCEPT tcp -- anywhere anywhere tcp dpt:urd 
      55 ACCEPT tcp -- anywhere anywhere tcp dpt:submission 
      56 ACCEPT tcp -- anywhere anywhere tcp dpt:gnunet 
      57 ACCEPT tcp -- anywhere anywhere tcp dpt:eli 
      58 ACCEPT tcp -- anywhere anywhere tcp dpt:sep 
      59 ACCEPT tcp -- anywhere anywhere tcp dpt:mysql 
      60 ACCEPT tcp -- anywhere anywhere tcp dpt:time 
      61 ACCEPT tcp -- anywhere anywhere tcp dpt:sms-chat 
      62 ACCEPT tcp -- anywhere anywhere tcp spt:domain 
      63 ACCEPT tcp -- anywhere anywhere tcp spt:ftp 
      64 ACCEPT tcp -- anywhere anywhere tcp spt:ssh 
      65 ACCEPT tcp -- anywhere anywhere tcp spt:22022 
      66 ACCEPT tcp -- anywhere anywhere tcp spt:smtp 
      67 ACCEPT tcp -- anywhere anywhere tcp spt:26 
      68 ACCEPT udp -- anywhere anywhere udp spt:domain 
      69 ACCEPT tcp -- anywhere anywhere tcp spt:http 
      70 ACCEPT tcp -- anywhere anywhere tcp spt:pop3 
      71 ACCEPT tcp -- anywhere anywhere tcp spt:imap 
      72 ACCEPT tcp -- anywhere anywhere tcp spt:https 
      73 ACCEPT tcp -- anywhere anywhere tcp spt:urd 
      74 ACCEPT tcp -- anywhere anywhere tcp spt:submission 
      75 ACCEPT tcp -- anywhere anywhere tcp spt:infowave 
      76 ACCEPT tcp -- anywhere anywhere tcp spt:radsec 
      77 ACCEPT tcp -- anywhere anywhere tcp spt:sunclustergeo 
      78 ACCEPT tcp -- anywhere anywhere tcp spt:gnunet 
      79 ACCEPT tcp -- anywhere anywhere tcp spt:eli 
      80 ACCEPT tcp -- anywhere anywhere tcp spt:sep 
      81 ACCEPT tcp -- anywhere anywhere tcp spt:EtherNet/IP-1 
      82 ACCEPT tcp -- anywhere anywhere tcp spt:nbx-ser 
      83 ACCEPT tcp -- anywhere anywhere tcp spt:nbx-dir 
      84 ACCEPT tcp -- anywhere anywhere tcp spt:imaps 
      85 ACCEPT tcp -- anywhere anywhere tcp spt:pop3s 
      86 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED 
      87 LOG all -- anywhere anywhere limit: avg 1/sec burst 5 LOG level warning prefix `LOG_OUTPUT: ' 
      88 DROP all -- anywhere anywhere 
      89 ACCEPT tcp -- anywhere anywhere tcp spt:mysql 

      Chain acctboth (2 references)
      num target prot opt source destination 

      Chain cpanel-dovecot-solr (1 references)
      num target prot opt source destination 
      1 ACCEPT tcp -- anywhere anywhere multiport sports 8984,7984 owner UID match cpanelsolr 
      2 ACCEPT tcp -- anywhere anywhere multiport sports 8984,7984 owner UID match root 
      3 REJECT tcp -- anywhere anywhere multiport sports 8984,7984 reject-with icmp-port-unreachable 

      Chain icmpchk (3 references)
      num target prot opt source destination 

      Chain input_custom (1 references)
      num target prot opt source destination 

      Chain ipdrop_global (1 references)
      num target prot opt source destination 
      1 DROP all -- 43.255.190.0/23 anywhere 

      Chain output_custom (1 references)
      num target prot opt source destination 

      Chain ssh (1 references)
      num target prot opt source destination 
      1 ACCEPT all -- supra.websitewelcome.com anywhere 
      2 ACCEPT all -- wizard2.hostgator.com anywhere 
      3 ACCEPT all -- wizard-backup.hostgator.com anywhere 
      4 ACCEPT all -- 216-106-185-169.ds1-static.mia1.net.ststelecom.com anywhere 
      5 ACCEPT all -- 12.96.160.0/24 anywhere 
      6 ACCEPT all -- 216.19.0.0/24 anywhere 
      7 tcp -- anywhere anywhere state NEW recent: SET name: DEFAULT side: source 
      8 LOG tcp -- anywhere anywhere state NEW recent: CHECK seconds: 60 hit_count: 10 name: DEFAULT side: source limit: avg 10/min burst 5 LOG level notice prefix `SSH-ATTACK : ' 
      9 REJECT tcp -- anywhere anywhere state NEW recent: UPDATE seconds: 60 hit_count: 10 name: DEFAULT side: source reject-with tcp-reset 
      10 ACCEPT tcp -- anywhere anywhere 

      Chain tcpchk (3 references)
      num target prot opt source destination 

      Chain udpchk (3 references)
      num target prot opt source destination



      centos iptables mysql




      share|improve this question














      I'm trying to set my server (CentOS 6.9) to accept remote MySQl connections and I'm stuck on the firewall config.



      I have everything set right on the MySQL side; I can connect through telnet if I stop iptables, but not when it's active.



      I've already tried:



      -A INPUT -i lo -p tcp -m tcp --dport 3306 -j ACCEPT 
      -A INPUT -i eth0 -p tcp -m tcp --dport 3306 -j ACCEPT 
      -A OUTPUT -p tcp -m tcp --dport 3306 -j ACCEPT


      But still I get "connection refused" with iptables active. What am I doing wrong?



      EDIT: output of iptables -L --line-numbers



      Chain INPUT (policy ACCEPT)
      num target prot opt source destination 
      1 ACCEPT tcp -- anywhere anywhere tcp dpt:mysql 
      2 acctboth all -- anywhere anywhere 
      3 tcpchk tcp -- anywhere anywhere 
      4 udpchk udp -- anywhere anywhere 
      5 icmpchk icmp -- anywhere anywhere 
      6 ipdrop_global all -- anywhere anywhere 
      7 input_custom all -- anywhere anywhere 
      8 ACCEPT all -- anywhere anywhere 
      9 ssh tcp -- anywhere anywhere state NEW tcp dpt:22022 
      10 ACCEPT icmp -- anywhere anywhere icmp echo-request limit: up to 2/sec burst 10 mode srcip 
      11 LOG icmp -- anywhere anywhere icmp echo-request limit: avg 5/min burst 5 LOG level error prefix `ICMP_DROP ' 
      12 DROP icmp -- anywhere anywhere icmp echo-request 
      13 ACCEPT icmp -- anywhere anywhere icmp echo-reply 
      14 ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed 
      15 ACCEPT icmp -- anywhere anywhere icmp port-unreachable 
      16 ACCEPT icmp -- anywhere anywhere icmp host-unreachable 
      17 ACCEPT icmp -- anywhere anywhere icmp time-exceeded 
      18 ACCEPT icmp -- anywhere anywhere icmp parameter-problem 
      19 ACCEPT icmp -- anywhere anywhere icmp type 30 
      20 ACCEPT icmp -- anywhere anywhere state ESTABLISHED 
      21 ACCEPT tcp -- 103.21.244.0/22 anywhere tcp dpt:http 
      22 ACCEPT tcp -- 103.22.200.0/22 anywhere tcp dpt:http 
      23 ACCEPT tcp -- 103.31.4.0/22 anywhere tcp dpt:http 
      24 ACCEPT tcp -- 104.16.0.0/12 anywhere tcp dpt:http 
      25 ACCEPT tcp -- 108.162.192.0/18 anywhere tcp dpt:http 
      26 ACCEPT tcp -- 131.0.72.0/22 anywhere tcp dpt:http 
      27 ACCEPT tcp -- 141.101.64.0/18 anywhere tcp dpt:http 
      28 ACCEPT tcp -- 162.158.0.0/15 anywhere tcp dpt:http 
      29 ACCEPT tcp -- 172.64.0.0/13 anywhere tcp dpt:http 
      30 ACCEPT tcp -- 173.245.48.0/20 anywhere tcp dpt:http 
      31 ACCEPT tcp -- 188.114.96.0/20 anywhere tcp dpt:http 
      32 ACCEPT tcp -- 190.93.240.0/20 anywhere tcp dpt:http 
      33 ACCEPT tcp -- 197.234.240.0/22 anywhere tcp dpt:http 
      34 ACCEPT tcp -- 198.41.128.0/17 anywhere tcp dpt:http 
      35 ACCEPT tcp -- vps.retireja.com.br anywhere tcp dpt:http 
      36 ACCEPT tcp -- server.thenarcissistswife.com anywhere multiport dports ssh,http 
      37 ACCEPT icmp -- server.thenarcissistswife.com anywhere icmp echo-request 
      38 ACCEPT tcp -- 54.e2.adb8.ip4.static.sl-reverse.com anywhere multiport dports ssh,http 
      39 ACCEPT icmp -- 54.e2.adb8.ip4.static.sl-reverse.com anywhere icmp echo-request 
      40 ACCEPT tcp -- 32.e0.acb8.ip4.static.sl-reverse.com anywhere multiport dports ssh,http 
      41 ACCEPT icmp -- 32.e0.acb8.ip4.static.sl-reverse.com anywhere icmp echo-request 
      42 ACCEPT tcp -- anywhere anywhere tcp dpt:domain 
      43 ACCEPT tcp -- anywhere anywhere tcp dpt:ftp 
      44 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh 
      45 ACCEPT tcp -- anywhere anywhere tcp dpt:smtp 
      46 ACCEPT tcp -- anywhere anywhere tcp dpt:26 
      47 ACCEPT udp -- anywhere anywhere udp dpt:domain 
      48 ACCEPT tcp -- anywhere anywhere tcp dpt:http 
      49 ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 
      50 ACCEPT tcp -- anywhere anywhere tcp dpt:imap 
      51 ACCEPT tcp -- anywhere anywhere tcp dpt:https 
      52 ACCEPT tcp -- anywhere anywhere tcp dpt:urd 
      53 ACCEPT tcp -- anywhere anywhere tcp dpt:submission 
      54 ACCEPT tcp -- anywhere anywhere tcp dpt:infowave 
      55 ACCEPT tcp -- anywhere anywhere tcp dpt:radsec 
      56 ACCEPT tcp -- anywhere anywhere tcp dpt:sunclustergeo 
      57 ACCEPT tcp -- anywhere anywhere tcp dpt:gnunet 
      58 ACCEPT tcp -- anywhere anywhere tcp dpt:eli 
      59 ACCEPT tcp -- anywhere anywhere tcp dpt:sep 
      60 ACCEPT tcp -- anywhere anywhere tcp dpt:EtherNet/IP-1 
      61 ACCEPT tcp -- anywhere anywhere tcp dpt:nbx-ser 
      62 ACCEPT tcp -- anywhere anywhere tcp dpt:nbx-dir 
      63 ACCEPT tcp -- anywhere anywhere tcp dpt:imaps 
      64 ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s 
      65 ACCEPT udp -- google-public-dns-b.google.com anywhere udp spt:domain 
      66 ACCEPT tcp -- google-public-dns-b.google.com anywhere tcp spt:domain 
      67 ACCEPT udp -- google-public-dns-a.google.com anywhere udp spt:domain 
      68 ACCEPT tcp -- google-public-dns-a.google.com anywhere tcp spt:domain 
      69 ACCEPT tcp -- anywhere anywhere tcp dpt:22022 
      70 ACCEPT udp -- anywhere anywhere udp dpt:22022 
      71 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED 
      72 LOG all -- anywhere anywhere limit: avg 1/sec burst 5 LOG level warning prefix `LOG_INPUT: ' 
      73 DROP all -- anywhere anywhere 
      74 ACCEPT tcp -- anywhere anywhere tcp dpt:mysql 
      75 ACCEPT tcp -- anywhere anywhere tcp dpt:mysql 
      76 ACCEPT tcp -- vps.retireja.com.br anywhere tcp dpt:mysql 
      77 ACCEPT tcp -- vps.retireja.com.br anywhere tcp dpt:mysql 

      Chain FORWARD (policy ACCEPT)
      num target prot opt source destination 
      1 tcpchk tcp -- anywhere anywhere 
      2 udpchk udp -- anywhere anywhere 
      3 icmpchk icmp -- anywhere anywhere 

      Chain OUTPUT (policy ACCEPT)
      num target prot opt source destination 
      1 cpanel-dovecot-solr all -- anywhere anywhere 
      2 acctboth all -- anywhere anywhere 
      3 tcpchk tcp -- anywhere anywhere 
      4 udpchk udp -- anywhere anywhere 
      5 icmpchk icmp -- anywhere anywhere 
      6 output_custom all -- anywhere anywhere 
      7 ACCEPT all -- anywhere anywhere 
      8 ACCEPT icmp -- anywhere anywhere state NEW,ESTABLISHED 
      9 ACCEPT icmp -- anywhere server.thenarcissistswife.com icmp echo-reply 
      10 ACCEPT icmp -- anywhere 54.e2.adb8.ip4.static.sl-reverse.com icmp echo-reply 
      11 ACCEPT icmp -- anywhere 32.e0.acb8.ip4.static.sl-reverse.com icmp echo-reply 
      12 ACCEPT udp -- anywhere anywhere udp dpt:saphostctrls 
      13 ACCEPT tcp -- anywhere anywhere tcp dpt:saphostctrls 
      14 ACCEPT udp -- anywhere anywhere udp dpt:30000 
      15 ACCEPT tcp -- anywhere anywhere tcp dpt:30000 
      16 ACCEPT udp -- anywhere anywhere udp dpt:pop3 
      17 ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 
      18 ACCEPT udp -- anywhere anywhere udp dpt:nicname 
      19 ACCEPT tcp -- anywhere anywhere tcp dpt:nicname 
      20 ACCEPT tcp -- anywhere anywhere tcp dpt:rsync 
      21 ACCEPT udp -- anywhere anywhere owner UID match root 
      22 ACCEPT icmp -- anywhere anywhere 
      23 ACCEPT all -- anywhere anywhere 
      24 ACCEPT tcp -- anywhere anywhere tcp dpt:ftp 
      25 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh 
      26 ACCEPT tcp -- anywhere gateway07.websitewelcome.com tcp dpt:smtp 
      27 ACCEPT tcp -- anywhere gateway03.websitewelcome.com tcp dpt:smtp 
      28 ACCEPT tcp -- anywhere gateway04.websitewelcome.com tcp dpt:smtp 
      29 ACCEPT tcp -- anywhere gateway05.websitewelcome.com tcp dpt:smtp 
      30 ACCEPT tcp -- anywhere gateway06.websitewelcome.com tcp dpt:smtp 
      31 ACCEPT tcp -- anywhere gateway09.websitewelcome.com tcp dpt:smtp 
      32 ACCEPT tcp -- anywhere gateway10.websitewelcome.com tcp dpt:smtp 
      33 ACCEPT tcp -- anywhere gateway11.websitewelcome.com tcp dpt:smtp 
      34 ACCEPT tcp -- anywhere gateway12.websitewelcome.com tcp dpt:smtp 
      35 ACCEPT tcp -- anywhere gateway13.websitewelcome.com tcp dpt:smtp 
      36 ACCEPT tcp -- anywhere gateway14.websitewelcome.com tcp dpt:smtp 
      37 ACCEPT tcp -- anywhere gateway15.websitewelcome.com tcp dpt:smtp 
      38 ACCEPT tcp -- anywhere gateway16.websitewelcome.com tcp dpt:smtp 
      39 ACCEPT tcp -- anywhere gateway02.websitewelcome.com tcp dpt:smtp 
      40 ACCEPT tcp -- anywhere gateway01.websitewelcome.com tcp dpt:smtp 
      41 ACCEPT tcp -- anywhere gateway08.websitewelcome.com tcp dpt:smtp 
      42 ACCEPT tcp -- anywhere anywhere tcp dpt:smtp owner UID match mailnull 
      43 LOG tcp -- anywhere anywhere ! owner UID match root multiport dports smtp,urd,submission limit: avg 1/sec burst 5 LOG level notice prefix `OUTBOUND-SMTP : ' 
      44 ACCEPT udp -- anywhere anywhere udp dpt:domain ! owner UID match nobody 
      45 ACCEPT tcp -- anywhere anywhere tcp dpt:domain ! owner UID match nobody 
      46 ACCEPT udp -- anywhere google-public-dns-b.google.com udp dpt:domain 
      47 ACCEPT tcp -- anywhere google-public-dns-b.google.com tcp dpt:domain 
      48 ACCEPT udp -- anywhere google-public-dns-a.google.com udp dpt:domain 
      49 ACCEPT tcp -- anywhere google-public-dns-a.google.com tcp dpt:domain 
      50 ACCEPT udp -- anywhere anywhere udp dpt:domain owner UID match nobody limit: avg 20/sec burst 5 
      51 ACCEPT tcp -- anywhere anywhere tcp dpt:domain owner UID match nobody limit: avg 20/sec burst 5 
      52 ACCEPT tcp -- anywhere anywhere tcp dpt:http 
      53 ACCEPT tcp -- anywhere anywhere tcp dpt:https 
      54 ACCEPT tcp -- anywhere anywhere tcp dpt:urd 
      55 ACCEPT tcp -- anywhere anywhere tcp dpt:submission 
      56 ACCEPT tcp -- anywhere anywhere tcp dpt:gnunet 
      57 ACCEPT tcp -- anywhere anywhere tcp dpt:eli 
      58 ACCEPT tcp -- anywhere anywhere tcp dpt:sep 
      59 ACCEPT tcp -- anywhere anywhere tcp dpt:mysql 
      60 ACCEPT tcp -- anywhere anywhere tcp dpt:time 
      61 ACCEPT tcp -- anywhere anywhere tcp dpt:sms-chat 
      62 ACCEPT tcp -- anywhere anywhere tcp spt:domain 
      63 ACCEPT tcp -- anywhere anywhere tcp spt:ftp 
      64 ACCEPT tcp -- anywhere anywhere tcp spt:ssh 
      65 ACCEPT tcp -- anywhere anywhere tcp spt:22022 
      66 ACCEPT tcp -- anywhere anywhere tcp spt:smtp 
      67 ACCEPT tcp -- anywhere anywhere tcp spt:26 
      68 ACCEPT udp -- anywhere anywhere udp spt:domain 
      69 ACCEPT tcp -- anywhere anywhere tcp spt:http 
      70 ACCEPT tcp -- anywhere anywhere tcp spt:pop3 
      71 ACCEPT tcp -- anywhere anywhere tcp spt:imap 
      72 ACCEPT tcp -- anywhere anywhere tcp spt:https 
      73 ACCEPT tcp -- anywhere anywhere tcp spt:urd 
      74 ACCEPT tcp -- anywhere anywhere tcp spt:submission 
      75 ACCEPT tcp -- anywhere anywhere tcp spt:infowave 
      76 ACCEPT tcp -- anywhere anywhere tcp spt:radsec 
      77 ACCEPT tcp -- anywhere anywhere tcp spt:sunclustergeo 
      78 ACCEPT tcp -- anywhere anywhere tcp spt:gnunet 
      79 ACCEPT tcp -- anywhere anywhere tcp spt:eli 
      80 ACCEPT tcp -- anywhere anywhere tcp spt:sep 
      81 ACCEPT tcp -- anywhere anywhere tcp spt:EtherNet/IP-1 
      82 ACCEPT tcp -- anywhere anywhere tcp spt:nbx-ser 
      83 ACCEPT tcp -- anywhere anywhere tcp spt:nbx-dir 
      84 ACCEPT tcp -- anywhere anywhere tcp spt:imaps 
      85 ACCEPT tcp -- anywhere anywhere tcp spt:pop3s 
      86 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED 
      87 LOG all -- anywhere anywhere limit: avg 1/sec burst 5 LOG level warning prefix `LOG_OUTPUT: ' 
      88 DROP all -- anywhere anywhere 
      89 ACCEPT tcp -- anywhere anywhere tcp spt:mysql 

      Chain acctboth (2 references)
      num target prot opt source destination 

      Chain cpanel-dovecot-solr (1 references)
      num target prot opt source destination 
      1 ACCEPT tcp -- anywhere anywhere multiport sports 8984,7984 owner UID match cpanelsolr 
      2 ACCEPT tcp -- anywhere anywhere multiport sports 8984,7984 owner UID match root 
      3 REJECT tcp -- anywhere anywhere multiport sports 8984,7984 reject-with icmp-port-unreachable 

      Chain icmpchk (3 references)
      num target prot opt source destination 

      Chain input_custom (1 references)
      num target prot opt source destination 

      Chain ipdrop_global (1 references)
      num target prot opt source destination 
      1 DROP all -- 43.255.190.0/23 anywhere 

      Chain output_custom (1 references)
      num target prot opt source destination 

      Chain ssh (1 references)
      num target prot opt source destination 
      1 ACCEPT all -- supra.websitewelcome.com anywhere 
      2 ACCEPT all -- wizard2.hostgator.com anywhere 
      3 ACCEPT all -- wizard-backup.hostgator.com anywhere 
      4 ACCEPT all -- 216-106-185-169.ds1-static.mia1.net.ststelecom.com anywhere 
      5 ACCEPT all -- 12.96.160.0/24 anywhere 
      6 ACCEPT all -- 216.19.0.0/24 anywhere 
      7 tcp -- anywhere anywhere state NEW recent: SET name: DEFAULT side: source 
      8 LOG tcp -- anywhere anywhere state NEW recent: CHECK seconds: 60 hit_count: 10 name: DEFAULT side: source limit: avg 10/min burst 5 LOG level notice prefix `SSH-ATTACK : ' 
      9 REJECT tcp -- anywhere anywhere state NEW recent: UPDATE seconds: 60 hit_count: 10 name: DEFAULT side: source reject-with tcp-reset 
      10 ACCEPT tcp -- anywhere anywhere 

      Chain tcpchk (3 references)
      num target prot opt source destination 

      Chain udpchk (3 references)
      num target prot opt source destination




      centos iptables mysql





      share|improve this question













      share|improve this question




      share|improve this question








      edited Jan 30 at 20:03

























      asked Jan 30 at 17:46









      diogo.abdalla

      1062




      1062




















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          1
          down vote













          Remove this rule:




          -A INPUT -p tcp -m tcp -j REJECT --reject-with tcp-reset



          You can remove a rule by printing the line numbers this way:



          iptables -L --line-numbers


          and then deleting the line by it's line number.



          For instance, if the offending line is number 7, then:



          iptables -D INPUT 7





          share|improve this answer






















          • @vlastimil thx for the edit on the quote of the line; however, i did purposefully put for instance in bold so that the OP didn't miss that I'm not suggesting he run that command without changing the number from 7 to the appropriate number.
            – WEBjuju
            Jan 30 at 18:25






          • 1




            Don't use bold text unless real necessary.
            – Vlastimil
            Jan 30 at 18:29










          • It appears they’re trying to allow port 3306, and have a rule to that effect ahead of the reject line; why do you think that removing this catch-all line will help?
            – Jeff Schaller
            Jan 30 at 19:07










          • it didnt worked: I removed that line and still I can connect remotely. The only difference is that now instead of geting "connection refused", I get "connection timed out"
            – diogo.abdalla
            Jan 30 at 19:34










          • there is a REJECT on the outbound...better get it out, too: -A OUTPUT -p tcp -m tcp -j REJECT --reject-with tcp-reset - if that doesn't work, can you add the output of iptables -L --line-numbers to your question, it's much easier to digest, imho.
            – WEBjuju
            Jan 30 at 19:37










          Your Answer







          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "106"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: false,
          noModals: false,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );








           

          draft saved


          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f420743%2fiptables-blocking-remote-mysql-remote%23new-answer', 'question_page');

          );

          Post as a guest

















          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          1
          down vote













          Remove this rule:




          -A INPUT -p tcp -m tcp -j REJECT --reject-with tcp-reset



          You can remove a rule by printing the line numbers this way:



          iptables -L --line-numbers


          and then deleting the line by it's line number.



          For instance, if the offending line is number 7, then:



          iptables -D INPUT 7





          share|improve this answer






















          • @vlastimil thx for the edit on the quote of the line; however, i did purposefully put for instance in bold so that the OP didn't miss that I'm not suggesting he run that command without changing the number from 7 to the appropriate number.
            – WEBjuju
            Jan 30 at 18:25






          • 1




            Don't use bold text unless real necessary.
            – Vlastimil
            Jan 30 at 18:29










          • It appears they’re trying to allow port 3306, and have a rule to that effect ahead of the reject line; why do you think that removing this catch-all line will help?
            – Jeff Schaller
            Jan 30 at 19:07










          • it didnt worked: I removed that line and still I can connect remotely. The only difference is that now instead of geting "connection refused", I get "connection timed out"
            – diogo.abdalla
            Jan 30 at 19:34










          • there is a REJECT on the outbound...better get it out, too: -A OUTPUT -p tcp -m tcp -j REJECT --reject-with tcp-reset - if that doesn't work, can you add the output of iptables -L --line-numbers to your question, it's much easier to digest, imho.
            – WEBjuju
            Jan 30 at 19:37














          up vote
          1
          down vote













          Remove this rule:




          -A INPUT -p tcp -m tcp -j REJECT --reject-with tcp-reset



          You can remove a rule by printing the line numbers this way:



          iptables -L --line-numbers


          and then deleting the line by it's line number.



          For instance, if the offending line is number 7, then:



          iptables -D INPUT 7





          share|improve this answer






















          • @vlastimil thx for the edit on the quote of the line; however, i did purposefully put for instance in bold so that the OP didn't miss that I'm not suggesting he run that command without changing the number from 7 to the appropriate number.
            – WEBjuju
            Jan 30 at 18:25






          • 1




            Don't use bold text unless real necessary.
            – Vlastimil
            Jan 30 at 18:29










          • It appears they’re trying to allow port 3306, and have a rule to that effect ahead of the reject line; why do you think that removing this catch-all line will help?
            – Jeff Schaller
            Jan 30 at 19:07










          • it didnt worked: I removed that line and still I can connect remotely. The only difference is that now instead of geting "connection refused", I get "connection timed out"
            – diogo.abdalla
            Jan 30 at 19:34










          • there is a REJECT on the outbound...better get it out, too: -A OUTPUT -p tcp -m tcp -j REJECT --reject-with tcp-reset - if that doesn't work, can you add the output of iptables -L --line-numbers to your question, it's much easier to digest, imho.
            – WEBjuju
            Jan 30 at 19:37












          up vote
          1
          down vote










          up vote
          1
          down vote









          Remove this rule:




          -A INPUT -p tcp -m tcp -j REJECT --reject-with tcp-reset



          You can remove a rule by printing the line numbers this way:



          iptables -L --line-numbers


          and then deleting the line by it's line number.



          For instance, if the offending line is number 7, then:



          iptables -D INPUT 7





          share|improve this answer














          Remove this rule:




          -A INPUT -p tcp -m tcp -j REJECT --reject-with tcp-reset



          You can remove a rule by printing the line numbers this way:



          iptables -L --line-numbers


          and then deleting the line by it's line number.



          For instance, if the offending line is number 7, then:



          iptables -D INPUT 7






          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Jan 30 at 18:20









          Vlastimil

          6,4011146119




          6,4011146119










          answered Jan 30 at 18:16









          WEBjuju

          410211




          410211











          • @vlastimil thx for the edit on the quote of the line; however, i did purposefully put for instance in bold so that the OP didn't miss that I'm not suggesting he run that command without changing the number from 7 to the appropriate number.
            – WEBjuju
            Jan 30 at 18:25






          • 1




            Don't use bold text unless real necessary.
            – Vlastimil
            Jan 30 at 18:29










          • It appears they’re trying to allow port 3306, and have a rule to that effect ahead of the reject line; why do you think that removing this catch-all line will help?
            – Jeff Schaller
            Jan 30 at 19:07










          • it didnt worked: I removed that line and still I can connect remotely. The only difference is that now instead of geting "connection refused", I get "connection timed out"
            – diogo.abdalla
            Jan 30 at 19:34










          • there is a REJECT on the outbound...better get it out, too: -A OUTPUT -p tcp -m tcp -j REJECT --reject-with tcp-reset - if that doesn't work, can you add the output of iptables -L --line-numbers to your question, it's much easier to digest, imho.
            – WEBjuju
            Jan 30 at 19:37
















          • @vlastimil thx for the edit on the quote of the line; however, i did purposefully put for instance in bold so that the OP didn't miss that I'm not suggesting he run that command without changing the number from 7 to the appropriate number.
            – WEBjuju
            Jan 30 at 18:25






          • 1




            Don't use bold text unless real necessary.
            – Vlastimil
            Jan 30 at 18:29










          • It appears they’re trying to allow port 3306, and have a rule to that effect ahead of the reject line; why do you think that removing this catch-all line will help?
            – Jeff Schaller
            Jan 30 at 19:07










          • it didnt worked: I removed that line and still I can connect remotely. The only difference is that now instead of geting "connection refused", I get "connection timed out"
            – diogo.abdalla
            Jan 30 at 19:34










          • there is a REJECT on the outbound...better get it out, too: -A OUTPUT -p tcp -m tcp -j REJECT --reject-with tcp-reset - if that doesn't work, can you add the output of iptables -L --line-numbers to your question, it's much easier to digest, imho.
            – WEBjuju
            Jan 30 at 19:37















          @vlastimil thx for the edit on the quote of the line; however, i did purposefully put for instance in bold so that the OP didn't miss that I'm not suggesting he run that command without changing the number from 7 to the appropriate number.
          – WEBjuju
          Jan 30 at 18:25




          @vlastimil thx for the edit on the quote of the line; however, i did purposefully put for instance in bold so that the OP didn't miss that I'm not suggesting he run that command without changing the number from 7 to the appropriate number.
          – WEBjuju
          Jan 30 at 18:25




          1




          1




          Don't use bold text unless real necessary.
          – Vlastimil
          Jan 30 at 18:29




          Don't use bold text unless real necessary.
          – Vlastimil
          Jan 30 at 18:29












          It appears they’re trying to allow port 3306, and have a rule to that effect ahead of the reject line; why do you think that removing this catch-all line will help?
          – Jeff Schaller
          Jan 30 at 19:07




          It appears they’re trying to allow port 3306, and have a rule to that effect ahead of the reject line; why do you think that removing this catch-all line will help?
          – Jeff Schaller
          Jan 30 at 19:07












          it didnt worked: I removed that line and still I can connect remotely. The only difference is that now instead of geting "connection refused", I get "connection timed out"
          – diogo.abdalla
          Jan 30 at 19:34




          it didnt worked: I removed that line and still I can connect remotely. The only difference is that now instead of geting "connection refused", I get "connection timed out"
          – diogo.abdalla
          Jan 30 at 19:34












          there is a REJECT on the outbound...better get it out, too: -A OUTPUT -p tcp -m tcp -j REJECT --reject-with tcp-reset - if that doesn't work, can you add the output of iptables -L --line-numbers to your question, it's much easier to digest, imho.
          – WEBjuju
          Jan 30 at 19:37




          there is a REJECT on the outbound...better get it out, too: -A OUTPUT -p tcp -m tcp -j REJECT --reject-with tcp-reset - if that doesn't work, can you add the output of iptables -L --line-numbers to your question, it's much easier to digest, imho.
          – WEBjuju
          Jan 30 at 19:37












           

          draft saved


          draft discarded


























           


          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f420743%2fiptables-blocking-remote-mysql-remote%23new-answer', 'question_page');

          );

          Post as a guest
































































          -

          Popular posts from this blog

          How to check contact read email or not when send email to Individual?

          Image
          Clash Royale CLAN TAG #URR8PPP up vote 1 down vote favorite I'm using WordPress 4.9.8, CiviCRM to 5.5.1, I usually send email to contact by Search> Find contacts View contact details Action> Send email Send email ok, Contact received mail ok like picture But status only Email sent though contact read email or not. So, can CiviCRM can change status to Email read when contact read email? wordpress email share | improve this question asked Sep 26 at 0:12 ToanLuong 49 9 add a comment  |  up vote 1 down vote favorite I'm using WordPress 4.9.8, CiviCRM to 5.5.1, I usually send email to contact by Search> Find contacts View contact details Action> Send email Send email ok, Contact received mail ok like picture But status only Email sent though contact read email or not. So, can CiviCRM can change status to Email read when contact read email? wordpress email share | improve this question asked Se
          Read more

          Bahrain

          Image
          For other uses, see Bahrain (disambiguation). Sovereign island state in the Persian Gulf Kingdom of Bahrain مملكة البحرين   (Arabic) Mamlakat al-Baḥrayn Flag Coat of arms Anthem:  نشيد البحرين الوطني Bahrainona Our Bahrain Location of   Bahrain    (circled in red) Capital and largest city Manama 26°13′N 50°35′E  /  26.217°N 50.583°E  / 26.217; 50.583 Official languages Arabic Ethnic groups (2010 [1] ) 50.7% Arab (46% Bahrani, 4.7% other Arabs) 45.5% Asian 1% European 1.2% Others Religion Islam Demonym(s) Bahraini Government Unitary constitutional monarchy • King Hamad bin Isa Al Khalifa • Crown Prince Salman bin Hamad bin Isa Al Khalifa • Prime Minister Khalifa bin Salman Al Khalifa Legislature National Assembly • Upper house Consultative Council • Lower house Council of Representatives Independence • Declared Independence [2] 14 August 1971 • from United Kingdom [1] 15 August 1971 • Admitted to the United Nations 21 September 1971 • Kingdom of Bahrain 14 February 2002
          Read more

          Postfix configuration issue with fips on centos 7; mailgun relay

          Image
          Clash Royale CLAN TAG #URR8PPP up vote 0 down vote favorite I am trying to setup postfix to relay all mail generated on the local machine via SMTP to a mailgun relay. I have used the mailgun relay before with success on an ubuntu server, but I am migrating to a Centos 7 server which I will be running in FIPS mode. There error log is below, slightly sanitized. I have a small enough network that I choose to have each machine reach out to mailgun individually (this the loopback-only, 127.0.0.0/8 restrictions) and no firewall open port allowing smtp in to the machine. I assume the FIPS mode (and with it disabling of MD5) is causing problems, but I don't know how to overcome it or if it is even possible for tls_fprint to use some supported hash such as sha256 or sha512. However, the relay=none is slightly concerning since I have relayhost set, but perhaps that is because the smtp process is failing? Any help would be appreciated! postconf -n: alias_database = hash:/etc/alia
          Read more