-1

I entered the following commands into a Debian Linux terminal:

sysctl net.ipv4.ip_forward=1
iptables -t nat -A PREROUTING -p tcp --dport Port2 -j DNAT --to-destination yyy.yyy.yyy.yyy:Port1
iptables -t nat -A POSTROUTING -j MASQUERADE

Soon after, mySQL failed and it would not allow anything to connect to it. One of the errors was

"Host xxx-xxx-xxx-xxx.static.xyzxyzxyz.xyz' is not allowed to connect to this MYSQL server"

The xxx-xxx-xxx-xxx is the IP in which I entered the Iptables commands above.

quanta
  • 50,327
  • 19
  • 152
  • 213
Jupiter
  • 7
  • 1
  • The Ip Adress trying to connect is the xxx IP on the default port of 3306. Also, where can I find the config for mySQL? Also, I was trying to make one port on the xxx IP go to another on the YYY IP with those commands. – Jupiter Jul 14 '13 at 03:26
  • Why would you add a rule to MASQUERADE *every single packet*? – David Schwartz Jul 14 '13 at 07:30
  • 1
    This question does not appear to be about professional server, networking, or related infrastructure administration, within the scope defined in the help center. – Jenny D Jul 14 '13 at 18:37

2 Answers2

1

It is really not so easy to answer the question without having a full view, but I can guess that since you were playing with NAT and based on the error you provided the client host appears in a different way to the server than it was before.

For example server allows connection from 10.10.10.10. Now you have NAT and client appears to be 20.20.20.20, thus server does not allow connection.

I would do like that:

1) Check MySQL config and see which hosts it will allow to connect.

2) Open MySQL logs and see what is IP address of client which tries to connect.

3) Is this IP address allowed by MySQL config?

VL-80
  • 228
  • 4
  • 16
  • The Ip Adress trying to connect is the xxx IP on the default port of 3306. Also, where can I find the config for mySQL? Also, I was trying to make one port on the xxx IP go to another on the YYY IP with those commands. – Jupiter Jul 14 '13 at 01:58
  • I am not using Debian nor mySQL but I can guess logs would be in /var/log/ and config in /etc/my.cnf or /etc/mysql/my.cnf. You have to check the log. Without looking at logs your chances to resolve problem are very small. – VL-80 Jul 14 '13 at 03:14
  • I am unable to find the log for MySQL. However I did find the config. the bind-address is 127.0.0.1(localhost) should I change that to the xxx IP? I recently added another IP to the computer which may cause issue for what IP localhost is on. – Jupiter Jul 14 '13 at 03:40
  • No, you should not change bind address to xxx IP. I will continue to advise you to use log file to determine root of your problem. Without doing so we can go wrong way. Per [this](http://www.cyberciti.biz/faq/location-of-mysql-logs-in-linux-unix-bsd-apple-osx/) the default location of logfile is /var/log/mysql.log. If you don't have this file check mysql config file and find setting which turns on logging. Also you can check if mysql sends it's logs to /var/log/syslog or /var/log/messages – VL-80 Jul 14 '13 at 13:48
1

For your NAT rules, you need to specify something like an input interface. Otherwise all kinds of traffic will have the NAT rules applied to it. In particular, specifying a masquerade target without any filters at all is likely to cause odd behaviour.

I'm assuming you have rules set up to allow only certain specified hosts to connect to mysql. Most likely what is happening is that your untargeted masquerade rule is causing the IP address which is allowed to connect to be replaced with another address, in a scenario that could only be described confusingly, which breaks the IP-based access control.

Falcon Momot
  • 24,975
  • 13
  • 61
  • 92