I am trying to set up mysql so that a user 'imbnpandmkexby' can connect to database 'de0rllo43ct314' from any remote IP address, or locally.
=========== THESE ARE THE STEPS I'VE TAKEN: ===========
1) In my MySQL config, I have commented out the bind-address line, verified that skip-networking is not in the file, and restarted mysql:
#/etc/mysql/my.cnf:
#bind-address = 127.0.0.1
2) I added remote permissions (by using the '%') for user 'imbnpandmkexby' on the desired database 'de0rllo43ct314':
[ remote ] > mysql -u root -p
[ mysql ] > GRANT ALL PRIVILEGES ON de0rllo43ct314.* TO 'imbnpandmkexby'@'localhost' IDENTIFIED BY 'passwordhere' WITH GRANT OPTION;
[ mysql ] > GRANT ALL PRIVILEGES ON de0rllo43ct314.* TO 'imbnpandmkexby'@'127.0.0.1' IDENTIFIED BY 'passwordhere' WITH GRANT OPTION;
[ mysql ] > GRANT ALL PRIVILEGES ON de0rllo43ct314.* TO 'imbnpandmkexby'@'%' IDENTIFIED BY 'passwordhere' WITH GRANT OPTION;
[ mysql ] > FLUSH PRIVILEGES;
[ mysql ] > select * from mysql.user\G
This outputs:
*************************** 6. row ***************************
Host: localhost
User: imbnpandmkexby
Password: *0000000000000000000000
...
*************************** 7. row ***************************
Host: 127.0.0.1
User: imbnpandmkexby
Password:
...
*************************** 8. row ***************************
Host: %
User: imbnpandmkexby
Password:
...
3) At this point I can connect with an SSH tunnel using Sequel Pro. The user appears to have all the right permissions.
4) Next I opened a firewall port and verified that MySQL is listening on that port:
[ remote ] > sudo iptables -I INPUT 10 -p tcp --dport 3306 -j ACCEPT
[ remote ] > sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:4505
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:4506
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:http-alt
ACCEPT tcp -- anywhere anywhere tcp dpt:zabbix-agent
ACCEPT tcp -- anywhere anywhere tcp dpt:zabbix-trapper
ACCEPT tcp -- anywhere anywhere tcp dpt:mysql
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT icmp -- anywhere anywhere icmp echo-request
LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Since this box is hosted on amazon ec2, I also opened up port 3306 in its security group:
5) I can telnet into the port:
Trying 00.00.00.000...
Connected to ec2-00.00.00.000.us-west-2.compute.amazonaws.com.
Escape character is '^]'.
=========== THIS IS WHERE I'M STUCK: ===========
00.00.00.000 shown instead of actual IP
When I try connecting to the database from my local machine, it doesn't work:
[ local ] > mysql -u imbnpandmkexby -h 00.00.00.000 -p
[ local ] > Enter password:
[ local ] > ERROR 2003 (HY000): Can't connect to MySQL server on '00.00.00.000' (61)
I am able to connect to a database on a dreamhost server, so it doesn't seem to be a block on my side:
[ local ] > mysql -u dreamhost_user -h mysql.dreamhostdomain.com -p
[ local ] > Enter password:
[ local ] > Welcome to the MySQL monitor. Commands end with ; or \g.
Is there a layer of permissions that I'm missing?
Okay, finally figured it out! I had a combination of two problems:
1) My SQL rule was coming after a REJECT rule in the iptables:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:4505
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:4506
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:http-alt
ACCEPT tcp -- anywhere anywhere tcp dpt:zabbix-agent
ACCEPT tcp -- anywhere anywhere tcp dpt:zabbix-trapper
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT icmp -- anywhere anywhere icmp echo-request
LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT tcp -- anywhere anywhere tcp dpt:mysql
What I did was remove the last rule, and re-add it at index 10:
[ remote ] > iptables -vnL --line-numbers ##Prints rules along with line numbers
[ remote ] > iptables -D INPUT 14
[ remote ] > sudo iptables -I INPUT 10 -p tcp --dport 3306 -j ACCEPT
I knew this was a step in the right direction because I was now able to connect to the box via telnet ("telnet 00.00.00.000 3306")
2) The second problem I has was that my MySQL user only had a password set on the 'localhost' user, not the users with access to '127.0.0.1' or '%'. It turns out that each user-host combination needs a password. Now when I run "select * from mysql.user\\G" in the MySQL console, I get:
*************************** 6. row ***************************
Host: localhost
User: imbnpandmkexby
Password: *0000000000000000000000
...
*************************** 7. row ***************************
Host: 127.0.0.1
User: imbnpandmkexby
Password: *0000000000000000000000
...
*************************** 8. row ***************************
Host: %
User: imbnpandmkexby
Password: *0000000000000000000000
...
run tcpdump on mysql server to ensure tcp/3306 is actually getting to that box, or to see where its being blocked.
if connecting to remote tcp/3306 hangs and timeouts, its being blackholed or denied by a firewall. if it comes back right away with cant connect, its most likely making it all the way to server, but being rejected (and tcp response is returned).
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.