MySQL on LAN not working when IPTables enabled

Question

I have two Centos VM.

The IP Addresses are as follows :

VM_1 => 10.99.0.10
VM_2 => 10.99.0.12

Apache and PHP are in VM_1 and MySQL is in VM_2. Both are having iptables rules. VM_2 is working fine with rules. Now I am Testing from VM_1.

First I disabled VM_1 iptables and connect to VM_2 MySQL (connected successfully).

[root@foster ~]# service iptables stop
iptables: Applying firewall rules:                         [  OK  ]
[root@foster ~]# mysql -h 10.99.0.12 -u root -p
Enter password:

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 16
Server version: 5.6.21 MySQL Community Server (GPL)
...

Second I enabled VM_1 iptables and connect to VM_2 MySQL (It never respond in hours and hours also).

[root@foster ~]# service iptables start
iptables: Applying firewall rules:                         [  OK  ]
[root@foster ~]# mysql -h 10.99.0.12 -u root -p
Enter password:

What is wrong with my iptables rules? Here are my iptables rules:

[root@foster ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
ACCEPT     udp  --  anywhere             anywhere            udp spt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh state N                                                     EW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http state                                                      NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https state                                                      NEW,ESTABLISHED
ACCEPT     tcp  --  10.99.0.12           anywhere            tcp dpt:mysql state                                                      NEW,ESTABLISHED
ACCEPT     tcp  --  localhost            anywhere            tcp dpt:mysql state                                                      NEW,ESTABLISHED
LOGGING    all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:ssh state E                                                     STABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:http state                                                      ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:https state                                                      ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:mysql state                                                      ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:mysql state                                                      ESTABLISHED

Chain LOGGING (1 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere            limit: avg 2/min bu                                                     rst 5 LOG level debug prefix `IPTables Dropped -:- '
DROP       all  --  anywhere             anywhere

I think the output of `iptables -L` of VM_1 in the question itself will help — msrd0, Oct 23 '14 at 15:05
@msrd0, `iptables -L` shows this http://pastebin.com/byQ8Ee4c — , Oct 23 '14 at 15:11

Xavier Lucas · Accepted Answer · 2014-10-23T15:27:35.410

The issue is you don't allow new connections to be established to MySQL and you inverted sport and dport :

Chain INPUT (policy DROP)
...
ACCEPT     tcp  --  10.99.0.12 anywhere  tcp dpt:mysql state   NEW,ESTABLISHED
ACCEPT     tcp  --  localhost  anywhere  tcp dpt:mysql state   NEW,ESTABLISHED
...

Chain OUTPUT (policy DROP)
...
ACCEPT     tcp  --  anywhere   anywhere  tcp spt:mysql state   ESTABLISHED
ACCEPT     tcp  --  anywhere   anywhere  tcp spt:mysql state   ESTABLISHED
...

The right iptables -L output should instead be :

Chain INPUT (policy DROP)
...
ACCEPT     tcp  --  10.99.0.12 anywhere  tcp spt:mysql state   ESTABLISHED
ACCEPT     tcp  --  localhost  anywhere  tcp spt:mysql state   ESTABLISHED
...

Chain OUTPUT (policy DROP)
...
ACCEPT     tcp  --  anywhere   anywhere  tcp dpt:mysql state   NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere   anywhere  tcp dpt:mysql state   NEW,ESTABLISHED
...

MySQL on LAN not working when IPTables enabled

1 Answers1