Tuesday, November 9, 2021

[SOLVED] Connecting to mysql server over telnet

November 09, 2021 debian, iptables

Issue

I am running mysql in a debian linux system that runs on a vm over Windows 7. I have modified iptables to accept connections from anywhere over port 3306 - but I can't do a telnet to it from Windows. Although I can ping the vm and make sure its accessible.

Here's the iptables details:

# sudo iptables -L
CHAIN INPUT (policy ACCEPT)
target        prot opt source        destination
ACCEPT        tcp  --  anywhere      anywhere         tcp dpt:mysql

CHAIN FORWARD (policy ACCEPT)
target        prot opt source        destination

CHAIN OUTPUT (policy ACCEPT)
target        prot opt source        destination
#

Here's what I enetered to add the rule:

-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT

I can successfully ping to the debian vm, but when I try to do a telnet from the windows host I get:

Could not open connection to the host, on port 3306: Connect failed

I also tried doing a telnet from within debian. Here's what I got:

$ telnet localhost 3306
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
6
5.1.73-1*?MH]~"* wG;2(oz9JJrConnection closed by foreign host.
$

The debian system waits for a while before closing the connection by itself. Or I could do a ^] and close it.

Solution

The Problem - tight security permissions

If you are running a default Debian wheezy installation, out of the box the file /etc/mysql/my.cnf is configured so that mysql only binds to 127.0.0.1 - this would explain why you can telnet from inside the box but not from outside.

If you run:

sudo netstat -lntp

and you see

tcp         0    0   127.0.0.1:3306      0.0.0.0.*     LISTEN     1234/mysqld

and no other mysqld entries, this is indeed the case.

One Solution

Edit the file /etc/mysql/my.cnf and change the following line:

 bind-address   = 127.0.0.1

 bind-address   = 0.0.0.0

or, instead, the following line, where 192.168.1.2 is the static IP address of your Debian VM guest:

 bind-address   = 192.168.1.2

The above will vary if you are using ipv6 or other configurations.

Note

The zero payload length TCP packets going back are (roughly speaking) the RST, ACK packets that tell your Windows machine that there is nothing listening on that port on that interface. That does prove that your Windows firewall is not the problem.

Answered By - 6EQUJ5

This Answer collected from stackoverflow and tested by PythonFixing community admins, is licensed under cc by-sa 2.5 , cc by-sa 3.0 and cc by-sa 4.0