Cannot reach a RH9

Hello,

I have a RH9 in a internal netwrk and a firewall to go on internet. I can't
understand where's the problem:

I want to use MySQL from an external static IP Address, but this RH9 runs
perfectly on internal network, but no response for connection arriving from
other networks.

- ipchains is not running
- Declared opened on hosts.allow (anyway i can't se anything on secure log)
- I can ping RH9 from internet (forwarding correct ports)
- I've tried also using HTTP or TELNET with same results.

Where's the problem?

thanks

On Mon, 07 Jun 2004 16:23:39 +0200, Brunt wrote:

> Hello,
>
> I have a RH9 in a internal netwrk and a firewall to go on internet. I can't
> understand where's the problem:
>
> I want to use MySQL from an external static IP Address, but this RH9 runs
> perfectly on internal network, but no response for connection arriving from
> other networks.
>
> - ipchains is not running
> - Declared opened on hosts.allow (anyway i can't se anything on secure log)
> - I can ping RH9 from internet (forwarding correct ports)
> - I've tried also using HTTP or TELNET with same results.
>
> Where's the problem?
>
> thanks

Is the RH9 box your firewall or is it in the LAN? If in LAN you'll have
to use forwarding. Have you scanned your ports from the net or ran
"netstat -na"?

Let me know
Ed.

>
> Is the RH9 box your firewall or is it in the LAN? If in LAN you'll have
> to use forwarding. Have you scanned your ports from the net or ran
> "netstat -na"?
>
> Let me know
> Ed.

It'isn't my firewall. On FW i've forwarded some ports on that PC:

7 (TCP) to ping
80 (TCP) and 23 (TCP) to verify if i can connect to some services
3306 (TCP) for my MySQL db.

On Mon, 07 Jun 2004 18:19:48 +0200, Brunt wrote:

>>
>> Is the RH9 box your firewall or is it in the LAN? If in LAN you'll have
>> to use forwarding. Have you scanned your ports from the net or ran
>> "netstat -na"?
>>
>> Let me know
>> Ed.
>
> It'isn't my firewall. On FW i've forwarded some ports on that PC:
>
> 7 (TCP) to ping
> 80 (TCP) and 23 (TCP) to verify if i can connect to some services
> 3306 (TCP) for my MySQL db.

I think you'll need to use iptables to DNAT your connection.
You'll need your firewall to forward the packets to your internal MySQL
server.

I have my FTP server NATed:
pkts bytes target prot opt in out source destination
4 204 DNAT tcp -- any any anywhere anywhere tcp dpt:ftp to:192.168.100.2

The following link might help
http://support.imagestream.com/iptables_Firewall.html

cya
Ed.

Brunt <(E-Mail Removed)> wrote:
>>
>> Is the RH9 box your firewall or is it in the LAN? If in LAN you'll have
>> to use forwarding. Have you scanned your ports from the net or ran
>> "netstat -na"?
>>
>> Let me know
>> Ed.
>
> It'isn't my firewall. On FW i've forwarded some ports on that PC:
>
> 7 (TCP) to ping

Ping doesn't (usually, anyway) use TCP.

> 80 (TCP) and 23 (TCP) to verify if i can connect to some services
> 3306 (TCP) for my MySQL db.

How are you doing your Port-forwarding? What are the exact rules you are
using?

And remember, on your firewall, you need to do two things

1) Use DNAT to port-forward the connection.

2) let the connection through (it will appear on the FORWARD chain on
the firewall.)

Your firewall is a Linux box, right?

--
Cameron Kerr
(E-Mail Removed) : http://nzgeeks.org/cameron/
Empowered by Perl!

Brunt <(E-Mail Removed)> wrote:

> It'isn't my firewall. On FW i've forwarded some ports on that PC:
>
> 7 (TCP) to ping
> 80 (TCP) and 23 (TCP) to verify if i can connect to some services
> 3306 (TCP) for my MySQL db.

On the MySQL machine, run 'tcpdump port 3306', and ensure that you see
connection requests coming through from outside the firewall. If you
can't, then you have a problem with your Port-Forwarding.

--
Cameron Kerr
(E-Mail Removed) : http://nzgeeks.org/cameron/
Empowered by Perl!

"Cameron Kerr" <(E-Mail Removed)> ha scritto nel messaggio
news:(E-Mail Removed)...
> Brunt <(E-Mail Removed)> wrote:
> >>
> >> Is the RH9 box your firewall or is it in the LAN? If in LAN you'll
have
> >> to use forwarding. Have you scanned your ports from the net or ran
> >> "netstat -na"?
> >>
> >> Let me know
> >> Ed.
> >
> > It'isn't my firewall. On FW i've forwarded some ports on that PC:
> >
> > 7 (TCP) to ping
>
> Ping doesn't (usually, anyway) use TCP.
>
> > 80 (TCP) and 23 (TCP) to verify if i can connect to some services
> > 3306 (TCP) for my MySQL db.
>
> How are you doing your Port-forwarding? What are the exact rules you are
> using?
>
> And remember, on your firewall, you need to do two things
>
> 1) Use DNAT to port-forward the connection.
>
> 2) let the connection through (it will appear on the FORWARD chain on
> the firewall.)
>
> Your firewall is a Linux box, right?
>
> --
> Cameron Kerr
> (E-Mail Removed) : http://nzgeeks.org/cameron/
> Empowered by Perl!

My firewall is a commercial Smoothwall, and i have some HTTP, FTP, SSH,
VPN,.... systems (mixed AIX-Windows) running with no problems (....at this
moment).

"Cameron Kerr" <(E-Mail Removed)> ha scritto nel messaggio
news:(E-Mail Removed)...
> Brunt <(E-Mail Removed)> wrote:
>
> > It'isn't my firewall. On FW i've forwarded some ports on that PC:
> >
> > 7 (TCP) to ping
> > 80 (TCP) and 23 (TCP) to verify if i can connect to some services
> > 3306 (TCP) for my MySQL db.
>
> On the MySQL machine, run 'tcpdump port 3306', and ensure that you see
> connection requests coming through from outside the firewall. If you
> can't, then you have a problem with your Port-Forwarding.
>
> --
> Cameron Kerr
> (E-Mail Removed) : http://nzgeeks.org/cameron/
> Empowered by Perl!

I'm using MySql machine with no problem with pc on internal network.
Changing forwarding of same ports (HTTP and Telnet) on other PC's, this
services runs perfectly.

Brunt <(E-Mail Removed)> wrote:

> I'm using MySql machine with no problem with pc on internal network.

That by itself doesn't mean port-forwarding is working correctly.

> Changing forwarding of same ports (HTTP and Telnet) on other PC's, this
> services runs perfectly.

So you _do_ see these connection requests coming through from the
internet to your MySQL machine using tcpdump?

If you use `ldd /path/to/mysqld-binary', do you see a line saying
`libwrap'? If so, you need to be using /etc/hosts.allow and
/etc/hosts.deny.

Does the outside client receieve any error message (such as Port
Unreachable, or Connection Refused, or Connection Reset by Peer)?
Or does it just timeout after about 2 minutes (meaning it failed to
connect).

Have you set access control in the database so that the external client
is allowed access?

If you run `strace -p PID_OF_MYSQLD -e accept', do you see anything
being accepted when you try to connect to it?

Have you looked in /usr/share/doc/mysql* to see if there is anything
extra you need to be doing for RedHat, such as PAM perhaps.

Have you verified for yourself that there is, in fact, no firewall being
loaded on your database server (run `iptables -L', there should be
nothing in the INPUT, OUTPUT, or FORWARD chains, and the default policy
must be ACCEPT. Just because you have not installed a firewall yourself,
does not mean that the installation system set one up for you.

--
Cameron Kerr
(E-Mail Removed) : http://nzgeeks.org/cameron/
Empowered by Perl!

"Cameron Kerr" <(E-Mail Removed)> ha scritto nel messaggio
news:(E-Mail Removed)...
> Brunt <(E-Mail Removed)> wrote:
>
> > I'm using MySql machine with no problem with pc on internal network.
>
> That by itself doesn't mean port-forwarding is working correctly.
>
> > Changing forwarding of same ports (HTTP and Telnet) on other PC's, this
> > services runs perfectly.
>
> So you _do_ see these connection requests coming through from the
> internet to your MySQL machine using tcpdump?
>
> If you use `ldd /path/to/mysqld-binary', do you see a line saying
> `libwrap'? If so, you need to be using /etc/hosts.allow and
> /etc/hosts.deny.
>
> Does the outside client receieve any error message (such as Port
> Unreachable, or Connection Refused, or Connection Reset by Peer)?
> Or does it just timeout after about 2 minutes (meaning it failed to
> connect).
>
> Have you set access control in the database so that the external client
> is allowed access?
>
> If you run `strace -p PID_OF_MYSQLD -e accept', do you see anything
> being accepted when you try to connect to it?
>
> Have you looked in /usr/share/doc/mysql* to see if there is anything
> extra you need to be doing for RedHat, such as PAM perhaps.
>
> Have you verified for yourself that there is, in fact, no firewall being
> loaded on your database server (run `iptables -L', there should be
> nothing in the INPUT, OUTPUT, or FORWARD chains, and the default policy
> must be ACCEPT. Just because you have not installed a firewall yourself,
> does not mean that the installation system set one up for you.
>
> --
> Cameron Kerr
> (E-Mail Removed) : http://nzgeeks.org/cameron/
> Empowered by Perl!

Problem is on my firewall!!. I have another little firewall on my network
with another static ip. With SAME configuration everything runs ok. Now I
know where's the problem and to resolve it.