[ILUG] MySQL V4 with SSL has problems with iptables [solved]

Bailey, Darragh dbailey at hp.com
Thu Oct 16 13:25:48 IST 2008 

For the curious, here's the exact problem and solution to what was occurring.

The MySQL server was actually running on a vhost, so that the ipaddress could be moved to any node on a cluster to support fail-over.

It appears that for v4 MySQL clients there was some additional communication done by the server towards the client with SSL connections. I'm not entirely sure what this communication was for, but it means that for SSL on MySQL 4 you need to make sure that the ip address (and MySQL server port if you want to lock it down) being used by the server is allowed to send packets through the client firewall.

Adding the rule
-A -s 192.168.0.1 -j LOG --log-level 7 --log-prefix "Iptables:"

And tweaking the syslog setup to log any messages starting with that prefix to a separate file shows what goes on. Ip address range of the nodes is 192.168.1.1-10, and everything is permitted from those address on eth0. But we didn't have a separate entry for 192.168.0.1, which is what the DB runs on. Well obviously it's actually only one of the machines, the address can move, but it's handier to configure all clients to connect to the same address all the time.

Once I added
-A -s 192.168.0.1 -i eth0 -j ACCEPT

Everything works file.


Looking at the output, I don't see anything obvious that explains why the communication between the server/client behaves in this manner only when using SSL. It appears that some of the communication for the connection is regarded as not being established/related to the connection made by the client.

Also this problem does not occur with MySQL 5 client libraries, which suggests that it's a known behaviour but not well documented.

--
Regards,
Darragh Bailey

Systems Software Engineer
Hewlett Packard Galway Ltd.
+353 91 75-4674

Postal Address:    Hewlett Packard Galway Limited, Ballybrit Business Park, Galway
Registered Office: Hewlett Packard Galway Limited, 63-74 Sir John Rogerson's Quay Dublin 2
Registered Number: 361933

_______________________________________________
The contents of this message and any attachments to it are confidential and may be legally privileged. If you have received this message in error you should delete it from your system immediately and advise the sender.
To any recipient of this message within HP, unless otherwise stated you should consider this message and attachments as "HP CONFIDENTIAL".

More information about the ILUG mailing list