LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)
-   -   trouble connecting to mysql from different domain/environment (https://www.linuxquestions.org/questions/linux-software-2/trouble-connecting-to-mysql-from-different-domain-environment-4175584540/)

linuxnewbie0101 07-13-2016 11:10 AM
trouble connecting to mysql from different domain/environment
 
`Ladies/Gents,

I recently installed

mysql Ver 14.14 Distrib 5.5.49, for debian-linux-gnu (x86_64) using readline 6.3

on a ubuntu trusty server in my dev environment. everything works within that environment. i am able to telnet from remote servers through port 3306 just find. i am even able to connect using CF datasource to that mysql server.

the issue is, i cannot, for some reason connect to the mysql server from my production environment server, i cannot telnet port 3306 although the port is open, iptables have rules to open 3306 for all class C block to the prod environment.

mysql user also have permission to local and to host % and to IP.

why can't i connect from my prod to dev? i've tried the bindings for localhost, 0.0.0.0 and 127.0.0.1 and none of it helps. skip-networking is also commented out.

i am in a position where i am in the wall and not knowing what else to try.

Please help.

Thank you

btw, ufw is disabled.

Habitual 07-13-2016 11:40 AM
Code:
mysql -uroot -p -e "select user, host from mysql.user;" -Ns
yield any clues?

If the user in "dev" has perms, you can modify those permissions for the "prod" environment.
Are you saying you allow the wildcard host ('%') and you still can't connect from prod?
wrt: bind-address, use 0.0.0.0 for all interfaces, even if just for testing. "prod" could be coming in over non-routable IPs...
Code:
ufw deny mysql
ufw allow from 1.2.3.4 to any port 3306
locks that down.

1.2.3.4 is your prod machine.
Do your testing from prod here...

Here's how I grant explicit assess to a mysql db:
Code:
grant all on <db>.* to '<user>'@'1.2.3.4';  identified by '<password>'; flush privileges;
If you don't know the password the above will 'set it" to <password> and single ticks are required for
'<user>', '1.2.3.4', and '<password>'

I suppose if I didn't know the password and didn't want to change it (as above) I'd try:
Code:
grant all on <db>.* to '<user>'@'1.2.3.4'; flush privileges;
I don't know if the grant statement with a partial IP or a CIDR would be acceptable to mysql. Never tried it, but if I wanted to,
it'd be something like:
Code:
grant all on <db>.* to '<user>'@'1.2.%'; flush privileges;
or possibly
Code:
grant all on <db>.* to '<user>'@'1.2.0.0/n ; flush privileges;
I'd then try to remote mysql into that host using
Code:
mysql -u<user> -p -h<IP>
from the "prod" environment.
1.2.3.4 may need tuning.

I in no way advocate the use of the wildcard host without certain precautions.

Something to research I guess.
Others may have more.

linuxnewbie0101 07-13-2016 11:56 AM
so yes, the user does have multiple permissions set already

Code:
mysql> select User,Host from mysql.user where user='redalert';
+----------+--------------+
| User    | Host        |
+----------+--------------+
| redalert | 10.203.%    |
| redalert | 10.245.97.16 |
| redalert | 10.245.97.17 |
| redalert | 10.245.97.20 |
| redalert | 10.245.97.21 |
| redalert | 10.68.12.%  |
| redalert | 10.68.13.%  |
| redalert | 10.7%        |
| redalert | 10.93.%      |
| redalert | 10.93.96.%  |
| redalert | 10.93.96.108 |
| redalert | 10.93.96.130 |
| redalert | 10.93.96.136 |
| redalert | 10.93.96.168 |
| redalert | 10.93.96.169 |
| redalert | 10.93.96.184 |
| redalert | 172.18.10.%  |
| redalert | 172.18.40.%
the one that iam testing is redalert | 10.245.97.20 but it does not allow me to telnet from that server to my mysql server.

Habitual 07-13-2016 12:28 PM
Only thing left to do is on the mysql server,
fire up tcdump and save to file using:
Code:
tcpdump -s 1550 -c 50 -nn -i eth0 src 10.245.97.20  and tcp port 3306 -w redalert.sniff
and see what comes in over the 'wire' from 10.245.97.20
It will collect 50 samples and quit.

Yo can use tcpdump to replay the file back.

see also http://linux.byexamples.com/archives...ge-of-tcpdump/

linuxnewbie0101 07-13-2016 01:42 PM
Quote:
Originally Posted by Habitual (Post 5575404)
Only thing left to do is on the mysql server,
fire up tcdump and save to file using:
Code:
tcpdump -s 1550 -c 50 -nn -i eth0 src 10.245.97.20  and tcp port 3306 -w redalert.sniff
and see what comes in over the 'wire' from 10.245.97.20
It will collect 50 samples and quit.

Yo can use tcpdump to replay the file back.

see also http://linux.byexamples.com/archives...ge-of-tcpdump/
0 packets received
0 packets dropped

Habitual 07-13-2016 02:31 PM
Better talk to the firewall guys, again.

linuxnewbie0101 07-14-2016 01:31 PM
Quote:
Originally Posted by Habitual (Post 5575472)
Better talk to the firewall guys, again.
Yes, It was my fault not requesting the firewall to be bi-directional (in/out)

TY all who were involved in this problem.

Habitual 07-14-2016 02:17 PM
Glad it worked out!


All times are GMT -5. The time now is 03:04 PM.