Yet Another Port 3306 Blockage

Trying to remote connect to DB. A port scan on my public IP or FQDN is showing port 3306 closed. Checked/set the following:

  1. Port forwarding set on router to Virtualmin LAN shared IP address.
  2. Webmin -> Servers -> MySQL Database Server -> MySQL Server Configuration, and set "MySQL server listening address" to "0.0.0.0"
  3. Added DB user and granted permission to connect to DB
  4. ip address of machine trying to connect on 3306 added to Virtualmin --> Edit Databases --> Remote Hosts. (this option only available on top level domain, my db server is actually a sub-server, don't know whether this matters?)
  5. iptables -A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
  6. /etc/init.d/iptables restart
  7. iptables -L -n:

Chain INPUT (policy ACCEPT) target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:20 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:21 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20000 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:10000 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:993 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:143 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:995 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:587 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT) target prot opt source destination
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT) target prot opt source destination

Port scan still not showing open, not showing up in "iptables -L -n" or connecting remotely with database users credentials using host name or public ip.

Please help!

Status: 
Active

Comments

It doesn't look like port 3306 is allowed in your firewall rules. You may want to try re-running that iptables command to allow port 3306, and then review the firewall rules afterwards to make sure it shows up there.

Applied rule again but still not showing up after /etc/init.d/iptables restart

Chain INPUT (policy ACCEPT) target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:20 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:21 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20000 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:10000 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:993 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:143 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:995 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:587 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT) target prot opt source destination
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT) target prot opt source destination

Well, apply the rule, but don't restart iptables quite yet -- does that rule show up in the iptables list?

And does the remote MySQL access work at that point?

Yes its there now? And yes it looks like I can connect. LOL I wish I was as smart as you guys. Whats going on, how can i keep this rule, or is this rule even correct for what I'm trying to do?

Oops sorry, I guess I was just seeing the cache from my local copy. Its not connecting to the remote.

The rule is there though without restart...

Chain INPUT (policy ACCEPT) target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:20 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:21 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20000 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:10000 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:993 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:143 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:995 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:587 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306

Chain FORWARD (policy ACCEPT) target prot opt source destination
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT) target prot opt source destination

Oh I see, the allow for port 3306 is appearing after line which rejects all traffic.

What you'd need to do is move the allow line for port 3306 higher up in the chain.

You can move that from within Webmin -> Networking -> Linux Firewall.

Not showing up in Linux firewall...

Accept If protocol is UDP and destination port is ftp-data
Accept If protocol is UDP and destination port is ftp
Accept If protocol is UDP and destination port is domain
Accept If protocol is TCP and destination port is 20000
Accept If protocol is TCP and destination port is 10000
Accept If protocol is TCP and destination port is https
Accept If protocol is TCP and destination port is http
Accept If protocol is TCP and destination port is imaps
Accept If protocol is TCP and destination port is imap
Accept If protocol is TCP and destination port is pop3s
Accept If protocol is TCP and destination port is pop3
Accept If protocol is TCP and destination port is ftp-data
Accept If protocol is TCP and destination port is ftp
Accept If protocol is TCP and destination port is domain
Accept If protocol is TCP and destination port is submission
Accept If protocol is TCP and destination port is smtp
Accept If protocol is TCP and destination port is ssh
Accept If state of connection is ESTABLISHED,RELATED
Accept If protocol is ICMP
Accept If input interface is lo
Accept If protocol is TCP and destination port is 22 and state of connection is NEW
Reject Always

I tried adding manually in through webmin --> Networking --> Linux Firewall by Add Rule > Action to Take = Accept Source TCP or UDP port = 3306 Destination TCP or UDP port = 3306

Get error: Failed to save rule : Source and destination port conditions can only be used if the protocol is TCP, UDP or SCTP

Guess I should have gone to bed earlier last night, I saw it straight away this morning. I missed the Network protocol setting in Linux Firewall so was able to add rule and move up above reject line. This time it showed up in "iptables -L -n" even after "/etc/init.d/iptables restart". The port scan is now showing up as open.

Thank you so much for your help!!!!

Oh that's super, I was getting ready to ask Jamie for some ideas, as I wasn't quite sure what was going on there! I'm glad you figured it out though.

Feel free let let us know if you have any other questions!