最近几天,我们的应用程序服务器和数据库服务器(Mysql)之间遇到了一个奇怪的问题:从应用程序服务器到数据库服务器的连接在 SYN_SENT 状态下挂起,之后我们无法在 mysql 端口上与数据库服务器建立任何连接( 3306)。当我们检查数据库服务器上的 netstat 输出时,它处于 SYN_RECV 状态。
我能弄清楚的是 mysql 服务器正在接收 SYN 请求并做出响应,但它没有到达客户端,因此服务器端的 SYN_RECV 和客户端的 SYN_SENT 。我认为 SYN_SENT 状态应该在一段时间后消失,并且由于这个其他数据库连接尝试到同一服务器不应该挂起。
有谁知道我们如何解决这个问题?
输出设置详细信息:应用程序服务器:RHEL 5.4,内核版本 = 2.6.18-164.el5,x86_64 数据库服务器:Mysql 版本:5.1.49 RHEL 5.4,内核版本 = 2.6.18-164.el5,x86_64
Fix for server with only localhost access: set 127.0.0.1 in the bind address in my.cnf
Fix for connection to remote ip's (REMOTE_IP replace with remote ip)
iptables -A INPUT -p tcp -d 127.0.0.1 --dport 3306 -s REMOTE_IP -j ACCEPT
iptables -A INPUT -p udp -d 127.0.0.1 --dport 3306 -s REMOTE_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j DROP
iptables -A INPUT -p udp --dport 3306 -j DROP
Also you need to set bind ip in my.cnf to 0.0.0.0. Second rule you don't need, I just made it to be sure ;) (udp part)
Proof of concept: first allow the connection from remoteip to the destination (-d 127.0.0.1 = localhost) -p tcp / udp = protocoll tcp or udp
after this rules you need to make a rule to drop all requests to tcp / udp connections to port 3306.
Why is this working: Because iptables is going is "numeric". Always 1 rule after another.
you can see your rules with the command:
iptables -L INPUT -n --line-numbers
the first rule which is displayed is the first rule so if you say accept all connections and afterward drop from ip x.x.x.x all connections then it doesn't work. you need to pick as first rule to drop all connections from this ip and afterwards allow all connections. (it's a bad example..)
if you failed an entry you can display your rules and take the number in front of the rule and drop the rule with the command:
iptables -D INPUT <<number here>>