Invision Community 4: SEO, prepare for v5 and dormant account notifications By Matt Monday at 02:04 PM
iWeb Posted December 13, 2012 Posted December 13, 2012 There is something about these rules that are causing queries to be blocked, but I'm not sure what it can be. (ERROR 2006 - MySQL server has gone away) Can someone help me take a look at this and show me whats causing the problem? #! /bin/bash #chkconfig: 2345 95 20 #description: iptables rules to prevent communication on unused ports. #Reset all rules (F) and chains (X), necessary if have already defined iptables rules iptables -t filter -F iptables -t filter -X #Start by blocking all traffic, this will allow secured, fine grained filtering iptables -t filter -P INPUT DROP iptables -t filter -P FORWARD DROP iptables -t filter -P OUTPUT DROP #Keep established connexions iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT #Allow loopback iptables -t filter -A INPUT -i lo -j ACCEPT iptables -t filter -A OUTPUT -o lo -j ACCEPT #HTTP iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT #FTP iptables -t filter -A OUTPUT -p tcp --dport 20:21 -j ACCEPT iptables -t filter -A INPUT -p tcp --dport 20:21 -j ACCEPT #SMTP iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT #POP3 iptables -t filter -A INPUT -p tcp --dport 110 -j ACCEPT iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT #IMAP iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT iptables -t filter -A OUTPUT -p tcp --dport 143 -j ACCEPT #ICMP iptables -t filter -A INPUT -p icmp -j ACCEPT iptables -t filter -A OUTPUT -p icmp -j ACCEPT #SSH iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT iptables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT #DNS iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT #NTP iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT
srpurdy Posted December 14, 2012 Posted December 14, 2012 It's more likely the timeout settings in my.cnf If you can connect to your broad fine there is nothing in IP Tables that could prevent only a registration. Unless that IP Address was being blocked, but than they wouldn't be able to access the board to begin with. The mysql gone away message is why the queries were not running. Are you running custom timeout settings in my.cnf ? If you are rem(comment out) those lines out or (increase the timeouts) and than restart mysql.
iWeb Posted December 14, 2012 Author Posted December 14, 2012 I actually thought maybe it was IPB spam checking service or something. Is this too little? wait_timeout = 5 interactive_timeout = 10 long_query_time = 8 connect_timeout = 100 I don't recall what was the default and i'm not too sure if I changed this value or not. What would be a normal value for this? ===================== Hm,.. . you're right. For some reason when firewall is turned on, registration lags and takes up to 20-30 seconds to load as when firewall is turned off, it just loads instantly. Is there something wrong with my board or would it be my server?
srpurdy Posted December 14, 2012 Posted December 14, 2012 wait timeout and interactive timeout is way too low most likely. if I remember correctly the defaults are like this wait_timeout=300 connect_timeout=300 interactive_timeout=1000 However I am running a board with these timeouts without issues as well interactive_timeout = 100 wait_timeout = 30 connect_timeout = 30 (which is basically 1/10 of the default settings) If you add a # in front of these 3 it will use the mysql defaults. If you rather be safe. :smile:
iWeb Posted December 14, 2012 Author Posted December 14, 2012 I changed outgoing traffic from DROP to ACCEPT iptables -t filter -P OUTPUT ACCEPT I don't know if this even does anyhting, but I added it just incase ## open access to mysql server for lan users only ## iptables -I INPUT -p tcp --dport 3306 -j ACCEPT One of these (along with the change of the timeout values) fixed my problem. It no longer lags, but not really sure why it would in the first place. Thanks for the new values and for helping me resolve my problem. I been trying to get this to work for days. :)
srpurdy Posted December 14, 2012 Posted December 14, 2012 I changed outgoing traffic from DROP to ACCEPT iptables -t filter -P OUTPUT ACCEPT I don't know if this even does anyhting, but I added it just incase ## open access to mysql server for lan users only ## iptables -I INPUT -p tcp --dport 3306 -j ACCEPT One of these (along with the change of the timeout values) fixed my problem. It no longer lags, but not really sure why it would in the first place. Thanks for the new values and for helping me resolve my problem. I been trying to get this to work for days. :smile: iptables -I INPUT -p tcp --dport 3306 -j ACCEPT Don't do this This is a huge security risk to open port 3306 like this. you don't need to open this port because nothing is accessing this port remotely. It's all internal and doesn't need to be open to the public, and in cases where you allow external connections to give ip address access with mysql's remote hosts. Port 3306 should never be open ever.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.