IPTables preventing remote connection to MySQL

SemperFly asked:

My table rules:

sudo iptables -L --line-numbers

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http
2    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
3    ACCEPT     icmp --  anywhere             anywhere
4    ACCEPT     all  --  anywhere             anywhere
5    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
6    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:mysql
7    REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Additional Information

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
1083K  263M ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80
3942M 4886G ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
  734 42672 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
  864 62326 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
  138  8568 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:3306
  151 20254 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 778 packets, 161K bytes)
 pkts bytes target     prot opt in     out     source               destination

By removing rule 7 from the input chain, I am able to gain access to the server remotely. My understanding is that any rules preceding rule 7 should be unaffected by it, so rule 6 should be superseding it for MySQL connections.

Are there any additional rules I should add/modify?

My answer:


Your iptables rule allows incoming connections to port 3306, but only on the eth0 interface. You are probably trying to connect from a different interface.

To resolve the issue, replace the rule with one that allows the traffic you need. For instance to allow traffic from all interfaces:

iptables -R INPUT 6 -m state --state NEW -p tcp --dport 3306 -j ACCEPT

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.