I am trying to connect a remote mysql database in my local application. But it was not connecting with the given user name and password. Though I gave the GRANT ALL to that user. After a long study I came to know about firewall. I assume the following rules of firewall is the culprit for not connecting:
REJECT tcp -- anywhere anywhere tcp dpt:mysql reject-with icmp-port-unreachable
Please let me know if I am right. And please suggest me a solution to overcome this.
You can poke a hole in your firewall, to your given IP address by running the following (as root)
iptables -I INPUT -p tcp --dport 3306 --src 103.19.252/24 -j ACCEPT
-I INPUT signifies we are looking at incoming traffic
--dport 3306 means any traffic headed for port 3306 (mysql)
--src 103.19.252/24 will open up the connection to any traffic that originates from the 103.19.252.xx subnet
-j ACCEPT means let it through
You'll also need to make sure your MySQL user is allowed to connect from that ip
Related
My problem is similar to this question but since I don't have enough reputation to write a comment AND the answer to that question dindn’t help, I am starting a new question.
I have an GCE VM instance with LEMP with MySQL Ver 15.1 Distrib 10.1.18-MariaDB and I'm trying to connect remotely to it from my local machine.
I already tried all the suggestions in the question link that I mentioned before.
This is my firewall configuration:
In my.cnf file I have:
bind-address = 0.0.0.0
And about MySQL users privileges I have the following:
When I try to connect remotely with wkreport user I get the following result:
My question is, what am I missing ?!
I just found the solution to my problem,
Special thanks to #Slava for pointing me the way, after all it was iptables.
So, I kept receiving a "MySQL connection refused" message when trying to connect remotely so I searched for a way to see TCP connection logs and I found the tcpdump command.
By running sudo tcpdump port 3306 -vvv -n I saw the following output every time I tried to connect remotely:
I searched the tcpdump man page and saw that R means for TCP RST (RESET) flag.
Searched a little bit and found this question and its accepted answer led me again into IPTABLES that #Slava suggested since the first comment.
That's when I looked closely and saw that my INPUT ACCEPT tcp:3306 was defined after the REJECT TCP reject-with tcp-reset rule hence the log was showing.
After this I just removed the rule to accept tcp:3306 and prepended it to the reject tcp rules and voila!
iptables -D INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
iptables -I INPUT {line number from the first reject tcp rule} -p tcp -m tcp --dport 3306 -j ACCEPT
IPTABLES now looks like this and finally I can connect to MySQL remotely:
To list the iptables with line numbers type:
sudo iptables -nL --line-numbers
Final toughts:
This can be improved by whitelisting the source IP address from where you're making the remote connection for security matters.
I had similar problem with a vm instance.
I tested everything and it was solved by creating a new user on mysql.
I used this post to solve it.
NOTE. operation system is ubuntu 14.*
I am breaking my head over my connection on my MYSQL server. I try to connect to my MYSQL server internal through my public ip. But i am unable to connect. While i am able to connect when i connect to localhost and when i connect externally.
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address = 127.0.0.1
I commented the bind-adress out and this should bind the addres to 0.0.0.0. I also tried to setup the bind-adres to 0.0.0.0. This also doesnt work.
My hosts file is setup up as follows:
127.0.0.1 MY-IP
When i telnet on port 80 to my public ip there is no problem.
telnet MY-IP 80
I get:
Trying MY-IP...
Connected to MY-IP.
Escape character is '^]'.
But when i try this on port 3306 it keeps on:
Trying MY-IP...
I also granted all the right permissions to my MYSQL users. And i am possible to connect externaly and internaly. But it is not possible for me to connect internaly with my public ip.
Also i tried to find a solution with netstat.
netstat -tln
give mes
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN
EDIT: Just disabled UFW. It still doesnt work.
ufw status
Status: inactive
EDIT2: Is it possible that mysql is ignoring the /etc/hosts file?
Could somebody help me a bit further with some great ideas where the problem might be.
You should change the bind address to 0.0.0.0 then restart the mysqld. Also make sure there is no firewall enabled:
iptables -n -L
if there are rules, blocking port 3306, delete them, or just disable the firwall with
iptables -F
also use netstat to check if the server is listening on the external ip:
netstat -tupan |grep :3306
We are facing a strange problem from last few days between our application server and database server(Mysql): connection to database server from application server hangs in SYN_SENT state and after that we are not able to make any connection to database server on mysql port(3306). When we checked the netstat output on database server its in SYN_RECV state.
What I can figure out is mysql server is receiving the SYN request and responding also and its not reaching to the client hence SYN_RECV at server side and SYN_SENT at client side. I think SYN_SENT state should go after some time and because of this other db connection attempts to same server should not hang.
Does anybody have any idea how can we resolve this issue?
Out setup details : Application server: RHEL 5.4, kernel-release = 2.6.18-164.el5, x86_64 Database server: Mysql Version : 5.1.49 RHEL 5.4, kernel-release = 2.6.18-164.el5, x86_64
Fix for server with only localhost access:
set 127.0.0.1 in the bind address in my.cnf
Fix for connection to remote ip's
(REMOTE_IP replace with remote ip)
iptables -A INPUT -p tcp -d 127.0.0.1 --dport 3306 -s REMOTE_IP -j ACCEPT
iptables -A INPUT -p udp -d 127.0.0.1 --dport 3306 -s REMOTE_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j DROP
iptables -A INPUT -p udp --dport 3306 -j DROP
Also you need to set bind ip in my.cnf to 0.0.0.0. Second rule you don't need, I just made it to be sure ;) (udp part)
Proof of concept:
first allow the connection from remoteip to the destination (-d 127.0.0.1 = localhost)
-p tcp / udp = protocoll tcp or udp
after this rules you need to make a rule to drop all requests to tcp / udp connections to port 3306.
Why is this working:
Because iptables is going is "numeric". Always 1 rule after another.
you can see your rules with the command:
iptables -L INPUT -n --line-numbers
the first rule which is displayed is the first rule so if you say accept all connections and afterward drop from ip x.x.x.x all connections then it doesn't work.
you need to pick as first rule to drop all connections from this ip and afterwards allow all connections. (it's a bad example..)
if you failed an entry you can display your rules and take the number in front of the rule and drop the rule with the command:
iptables -D INPUT <<number here>>
Driver={MySQL ODBC 5.1 Driver};Server=192.168.1.103;Database=mysql;User=root; Password=;Option=3;
It works just fine when use localhost or 127.0.0.1, but not 198.168.1.100 (IP of the current machine).
MySql is part of Xampp on a Windwos machine
That depends on if MySQL is binding to 198.168.1.103 or not.
Edit:
To check how MySQL is listening, run the netstat command in a command promprt:
netstat -an | find "3306"
If it is listening on 192.168.1.103, you should see an entry with that IP in the results. If you don't, then you will need to use 127.0.0.1 or localhost for your connections, unless you want to set it up otherwise.
Reply from OP: I get this
C:\Users\me>netstat -an | find "3306"
TCP 0.0.0.0:3306 0.0.0.0:0 LISTENING
TCP 127.0.0.1:3306 127.0.0.1:49973 ESTABLISHED
TCP 127.0.0.1:49973 127.0.0.1:3306 ESTABLISHED
C:\Users\me>
So you are indeed listening on all interfaces and 192.168.1.103 would be accessible. Looking over your login credentials, yes that would be the issue. You're trying to login as root, which will only have localhost network access.
Basically, when you're dealing with MySQL user permissions, you generally have a username, password, and hostname. With this in mind, the same user could require a different password to login, depending on where they are connecting from.
There is a way to make it so that root can connect through 192.168.1.103 but you should not do this! The reason is that the root user has complete access to your database. If you want to login still, you would need to create a new user, and set them as able to connect from whatever IP address the MySQL server sees the user as, in the case 192.168.1.103.
I want to add to MySql another tcp port that I can connect to that port from my application
I have a duplicate of my application and I'm running them both from the same machine. They both are connected to the MySql server that are running on the same machine. The problem is that the default port 3306 is already taken.
You cannot bind mysqld to listen to multiple ports. The only way you can achieve this is with internal routing rules which would forward the target port to 3306.
If you are on linux, you can achieve this using iptables. iptables is a bundle of fun normally reserved for system administrators though.
Is there a reason why both copies of your application can't connect to the same port 3306? Normally you should be able to have any number of clients connecting.
You can do that with something like this:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 9005 -j REDIRECT --to-port 9000
Where eth0 is your network dev, 9005 is your "source port", and 9000 the port where your service is running. Oh, that example is for TCP protocol only.
You can find more examples about port redirection
here. Useful site for Linux, btw.
A single mysql instance can host multiple databases. So an alternative for you is that each application connects to the same mysql instance running at port 3306, but each uses a different database name.