IPFW, NAT, jailed MySQL connection problem.
From: Daniel Nystrom (zorakster_at_gmail.com)
Date: 06/14/05
- Previous message: Ev Batey WA6CRE: "Re: Need a HELP Lead .. For: xorg 6.8.2 - wont start"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Tue, 14 Jun 2005 09:52:07 +0200 To: freebsd-questions@freebsd.org
Hi,
I seem to have stumbled upon a tiny problem that just will not go
away. I was hoping there would be an answer somewhere before I put my
deep-into-the-dirt-boots on.
The software setup of the problem:
FreeBSD 5.4 Release
ipfw
natd
named
jail
Mysql 4.1 Server
Mysql 4.1 client
Hardware
1 external NIC (192.168.101.12)
1 internal NIC (192.168.1.1)
1 internal NIC (192.168.2.1)
The host system pretty much only serves as NAT and nameserver. I have
one jail setup with mysqld running. The problem occurs when I try to
connect to the mysql server with the flag -h. I get the error that my
user is not authorized to connect from ip 192.168.101.12 (external
NIC).
However, this is inside the jail so it should not need to be NAT'd
traffic at all.
This is some info from inside the jail:
-------------------------------8<-------------------------------------------------
# ifconfig
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=8<VLAN_MTU>
inet6 fe80::210:a7ff:fe0a:9119%rl0 prefixlen 64 scopeid 0x1
inet 192.168.1.3 netmask 0xffffff00 broadcast 192.168.1.255
ether 00:10:a7:0a:91:19
media: Ethernet autoselect (none)
status: no carrier
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=9<RXCSUM,VLAN_MTU>
inet6 fe80::201:2ff:feae:6d1d%xl0 prefixlen 64 scopeid 0x2
ether 00:01:02:ae:6d:1d
media: Ethernet autoselect (100baseTX <full-duplex> )
status: active
rl1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
options=8<VLAN_MTU>
ether 00:50:bf:34:24:b3
media: Ethernet autoselect (10baseT/UTP)
status: no carrier
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
# nslookup 192.168.1.3
Server: 192.168.1.1
Address: 192.168.1.1#53
3.1.168.192.in-addr.arpa name = db.folkvett.se.
# nslookup db.folkvett.se
Server: 192.168.1.1
Address: 192.168.1.1#53
Name: db.folkvett.se
Address: 192.168.1.3
# traceroute db.folkvett.se
traceroute to db (192.168.1.3), 64 hops max, 40 byte packets
1 db (192.168.1.3) 0.882 ms 0.744 ms 0.597 ms
# traceroute 192.168.1.3
traceroute to 192.168.1.3 (192.168.1.3), 64 hops max, 40 byte packets
1 db (192.168.1.3) 0.847 ms 0.908 ms 0.604 ms
# mysql -u root -h db.folkvett.se -p
Enter password:
ERROR 1130 (00000): #HY000Host '192.168.101.12' is not allowed to
connect to this MySQL server
# mysql -u root -h 192.168.1.3 -p
Enter password:
ERROR 1130 (00000): #HY000Host '192.168.101.12' is not allowed to
connect to this MySQL server
# mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 7 to server version: 4.1.12-log
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> select user, host from mysql.user where mysql.user.user='root';
+------+----------------+
| user | host |
+------+----------------+
| root | 192.168.1.3 |
| root | db.folkvett.se |
| root | localhost |
+------+----------------+
3 rows in set (0.01 sec)
mysql>
-----------------------------------8<---------------------------------------------
As you can see from the above, I have no trouble resolving the correct
IP or even connect to the database, however it seem that the database
then all of the sudden believe that I come from the external IP of the
HOST enviroment, not the jail. I shouldnt have access to
192.168.101.12 from the jail. Which means I somehow strangely get
NAT'd, even though i try to connect to my local IP.
The 192.168.1.3 ip is an alias on the rl0 interface. In the host it
looks like this:
-------------------------------8<-------------------------------------------------
> ifconfig rl0
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=8<VLAN_MTU>
inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::210:a7ff:fe0a:9119%rl0 prefixlen 64 scopeid 0x1
inet 192.168.1.3 netmask 0xffffff00 broadcast 192.168.1.255
inet 192.168.1.4 netmask 0xffffff00 broadcast 192.168.1.255
ether 00:10:a7:0a:91:19
media: Ethernet autoselect (none)
status: no carrier
>
-----------------------------------8<---------------------------------------------
Happy for any answers you may come up with.
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
- Previous message: Ev Batey WA6CRE: "Re: Need a HELP Lead .. For: xorg 6.8.2 - wont start"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
