无法连接到AWS上的远程MySQL服务器,但ssh隧道可以工作
我正在尝试设置mysql,以便用户“imbnpandmkexby”可以从任何远程IP地址或本地连接到数据库“de0rllo43ct314” ===============以下是我采取的步骤:=========== 1在我的MySQL配置中,我已注释掉绑定地址行,验证跳过网络不在文件中,并重新启动MySQL:无法连接到AWS上的远程MySQL服务器,但ssh隧道可以工作,mysql,ubuntu,ssh,amazon-ec2,Mysql,Ubuntu,Ssh,Amazon Ec2,我正在尝试设置mysql,以便用户“imbnpandmkexby”可以从任何远程IP地址或本地连接到数据库“de0rllo43ct314” ===============以下是我采取的步骤:=========== 1在我的MySQL配置中,我已注释掉绑定地址行,验证跳过网络不在文件中,并重新启动MySQL: #/etc/mysql/my.cnf: #bind-address = 127.0.0.1 2我通过在所需数据库“de0rllo43ct314”上使用用户“imbnpandmkexb
#/etc/mysql/my.cnf:
#bind-address = 127.0.0.1
[ remote ] > mysql -u root -p
[ mysql ] > GRANT ALL PRIVILEGES ON de0rllo43ct314.* TO 'imbnpandmkexby'@'localhost' IDENTIFIED BY 'passwordhere' WITH GRANT OPTION;
[ mysql ] > GRANT ALL PRIVILEGES ON de0rllo43ct314.* TO 'imbnpandmkexby'@'127.0.0.1' IDENTIFIED BY 'passwordhere' WITH GRANT OPTION;
[ mysql ] > GRANT ALL PRIVILEGES ON de0rllo43ct314.* TO 'imbnpandmkexby'@'%' IDENTIFIED BY 'passwordhere' WITH GRANT OPTION;
[ mysql ] > FLUSH PRIVILEGES;
[ mysql ] > select * from mysql.user\G
*************************** 6. row ***************************
Host: localhost
User: imbnpandmkexby
Password: *0000000000000000000000
...
*************************** 7. row ***************************
Host: 127.0.0.1
User: imbnpandmkexby
Password:
...
*************************** 8. row ***************************
Host: %
User: imbnpandmkexby
Password:
...
[ remote ] > sudo iptables -I INPUT 10 -p tcp --dport 3306 -j ACCEPT
[ remote ] > sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:4505
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:4506
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:http-alt
ACCEPT tcp -- anywhere anywhere tcp dpt:zabbix-agent
ACCEPT tcp -- anywhere anywhere tcp dpt:zabbix-trapper
ACCEPT tcp -- anywhere anywhere tcp dpt:mysql
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT icmp -- anywhere anywhere icmp echo-request
LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Trying 00.00.00.000...
Connected to ec2-00.00.00.000.us-west-2.compute.amazonaws.com.
Escape character is '^]'.
[ local ] > mysql -u imbnpandmkexby -h 00.00.00.000 -p
[ local ] > Enter password:
[ local ] > ERROR 2003 (HY000): Can't connect to MySQL server on '00.00.00.000' (61)
[ local ] > mysql -u dreamhost_user -h mysql.dreamhostdomain.com -p
[ local ] > Enter password:
[ local ] > Welcome to the MySQL monitor. Commands end with ; or \g.
是否有我缺少的权限层?在mysql服务器上运行tcpdump,以确保tcp/3306实际到达该框,或查看其被阻止的位置
如果连接到远程tcp/3306挂起并超时,则会被防火墙屏蔽或拒绝。如果它立即返回,并且无法连接,则很可能会一直连接到服务器,但被拒绝,并返回tcp响应。好的,终于解决了!我有两个问题: 1我的SQL规则位于iptables中的拒绝规则之后:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:4505
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:4506
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:http-alt
ACCEPT tcp -- anywhere anywhere tcp dpt:zabbix-agent
ACCEPT tcp -- anywhere anywhere tcp dpt:zabbix-trapper
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT icmp -- anywhere anywhere icmp echo-request
LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT tcp -- anywhere anywhere tcp dpt:mysql
[ remote ] > iptables -vnL --line-numbers ##Prints rules along with line numbers
[ remote ] > iptables -D INPUT 14
[ remote ] > sudo iptables -I INPUT 10 -p tcp --dport 3306 -j ACCEPT
*************************** 6. row ***************************
Host: localhost
User: imbnpandmkexby
Password: *0000000000000000000000
...
*************************** 7. row ***************************
Host: 127.0.0.1
User: imbnpandmkexby
Password: *0000000000000000000000
...
*************************** 8. row ***************************
Host: %
User: imbnpandmkexby
Password: *0000000000000000000000
...
这不是授权问题,而是ec2或您所在位置的防火墙。如果您在办公室,一些公司将出站限制在某些端口。@datasage,我更新了我的描述,以显示我可以从本地计算机连接到其他mysql数据库。您好@nandoP,我不熟悉tcpdump,所以我在谷歌上搜索了一个示例命令。这是您的建议,还是有更好的方法使用tcpdump?命令>>>tcpdump-i eth0-s 0-l-w-dst端口3306返回>>**侦听eth0,链接类型EN10MB以太网,捕获大小65535字节**这就是想法。如果服务器看到流量,数据包将开始淹没您的控制台。试着运行tcpdump-i eth0,看看我的意思,点击ctrl-c停止。此测试显示tcp/3306流量未到达aws实例。在办公室周边设备防火墙上执行相同的测试,查看流量是否通过ipsec隧道到达amazon。您的连接计算机的网络是否处于ipsec阶段2配置中?