远程连接到 Google Compute Engine VM 上的 MySQL
我的问题类似于
在 my.cnf 文件中我有:
<块引用>绑定地址 = 0.0.0.0
关于 MySQL 用户的权限,我有以下几点:
当我尝试与 wkreport 用户远程连接时,我得到以下结果:
我的问题是,我错过了什么?!
解决方案我刚刚找到了解决问题的方法,
特别感谢@Slava 为我指路,毕竟它是 iptables.
所以,我在尝试远程连接时一直收到MySQL 连接被拒绝"消息,所以我搜索了一种查看 TCP 连接日志的方法,并找到了 tcpdump
命令.
通过运行 sudo tcpdump port 3306 -vvv -n
我每次尝试远程连接时都会看到以下输出:
我搜索了 tcpdump 手册页,发现 R 表示 TCP RST (RESET) 标志.
搜索了一下,发现了这个
在此之后,我刚刚删除了接受 tcp:3306 的规则并将其添加到拒绝 tcp 规则之前,瞧!
iptables -D INPUT -p tcp -m tcp --dport 3306 -j ACCEPTiptables -I INPUT {第一个拒绝 tcp 规则的行号} -p tcp -m tcp --dport 3306 -j ACCEPT
IPTABLES 现在看起来像这样,最后我可以远程连接到 MySQL:
要列出带有行号的 iptables,请键入:
sudo iptables -nL --line-numbers
最后的挑战:
- 出于安全考虑,可以通过将您进行远程连接的源 IP 地址列入白名单来改善这一点.
My problem is similar to this question but since I don't have enough reputation to write a comment AND the answer to that question dindn’t help, I am starting a new question.
I have an GCE VM instance with LEMP with MySQL Ver 15.1 Distrib 10.1.18-MariaDB and I'm trying to connect remotely to it from my local machine.
I already tried all the suggestions in the question link that I mentioned before.
This is my firewall configuration:
In my.cnf file I have:
bind-address = 0.0.0.0
And about MySQL users privileges I have the following:
When I try to connect remotely with wkreport user I get the following result:
My question is, what am I missing ?!
解决方案I just found the solution to my problem,
Special thanks to @Slava for pointing me the way, after all it was iptables.
So, I kept receiving a "MySQL connection refused" message when trying to connect remotely so I searched for a way to see TCP connection logs and I found the tcpdump
command.
By running sudo tcpdump port 3306 -vvv -n
I saw the following output every time I tried to connect remotely:
I searched the tcpdump man page and saw that R means for TCP RST (RESET) flag.
Searched a little bit and found this question and its accepted answer led me again into IPTABLES that @Slava suggested since the first comment.
That's when I looked closely and saw that my INPUT ACCEPT tcp:3306 was defined after the REJECT TCP reject-with tcp-reset rule hence the log was showing.
After this I just removed the rule to accept tcp:3306 and prepended it to the reject tcp rules and voila!
iptables -D INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
iptables -I INPUT {line number from the first reject tcp rule} -p tcp -m tcp --dport 3306 -j ACCEPT
IPTABLES now looks like this and finally I can connect to MySQL remotely:
To list the iptables with line numbers type:
sudo iptables -nL --line-numbers
Final toughts:
- This can be improved by whitelisting the source IP address from where you're making the remote connection for security matters.
相关文章