2

I have a database server (specifically Tokyo Tyrant) running on one machine and a web server running on a separate machine.

I need to setup iptables on both machines so that the web server can make queries on the database server. Currently, I get "connection refused" when I try this from the web server:

tcrmgr list ${ip_of_db_server}:${port}

Preferably, the db server should only accept traffic from the ip address of the web server.

I am new to iptables so this may be obvious, but I am struggling.

Any help much appreciated -thanks!

(Edit: NB. here's a list of my iptables rules:

sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www
DROP       all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             10.179.51.126       tcp dpt:1948

)

Pete W
  • 143
  • 1
  • 7

1 Answers1

1

Run something like this on the database server to allow inbound connections:

/sbin/iptables -I INPUT 1 -p tcp -d ${ip_of_db_server} --dport ${port} -j ACCEPT

To see current rules in effect, run:

/sbin/iptables -L -v

See https://help.ubuntu.com/community/IptablesHowTo for a basic intro.

Eero
  • 126
  • 3
  • Thanks -I had tried this already, but it still isn't working. It's good to know that I was on the right track though... I'm beginning to wonder if maybe this isn't an iptables issue after all (maybe it is the configuration of the database server?) –  Feb 16 '11 at 06:32
  • 1
    Have you tried plain old telnet ${host} ${port} to see if the server listens on that port? (Try first from within the server itself, if that works from a 3rd independent machine, then finally from the web server) – Eero Feb 16 '11 at 06:43
  • OK -telnet from the db server to itself using the required port seems to connect fine. But when I try the same thing from the machine hosting the web server it doesn't connect failing with : "telnet: Unable to connect to remote host: Connection timed out" -just had a thought -do I need to restart iptables or do the rules take effect immediately? –  Feb 16 '11 at 07:00
  • 1
    If you run /sbin/iptables directly, then the effect is immediate (if you edit a script, you should of course rerun the script). Rule order matters. ACCEPT should be before DROP. Are you sure you do not have another (non-software) firewall between the servers? Please add iptables -L -v output to the question if possible. – Eero Feb 16 '11 at 07:10
  • See also http://serverfault.com/questions/196702/how-long-does-it-take-for-an-iptables-rule-to-apply – Eero Feb 16 '11 at 07:12
  • Ah -I think this probably explains it, I had a DROP ALL rule above my new rule which I guess overrides it. Now my only problem is that when I try and delete the 'drop all' rule, it gives me an error: "iptables -D 5 iptables: Bad rule (does a matching rule exist in that chain?)." – Pete W Feb 16 '11 at 17:45
  • I realize my mistake now, I had originally used iptables -A instead of iptables -I. I should have read your answer more carefully. Thanks for your help! – Pete W Feb 16 '11 at 17:57