Nerdrium Home



Web Design

Case Mods





My Blog




Modifying RedHat iptables to Allow CocoaMySQL Connections

by Michael Greifenkamp (April 5th, 2004)

Recently I created a database-driven website for work. It uses PHP and MySQL. While I built my own web-driven interface, I found this neat OS X application called CocoaMySQL, which is a GUI client program that interfaces with MySQL. It is pretty cool.

Except that when I went to use it to connect to my production server, it wouldn't work. The firewall wouldn't let me connect to port 3306. "Connection failed! Be sure that the address is correct and that you have the necessary privileges." Ouch!

The production server is running RedHat Enterprise Linux ES 3.0, and I set the security level to "high" when I did the installation. The only services that I allow are http and ssh and everything else is blocked.

But I really want to use CocoaMySQL. And Google wasn't much help.

An iptables hack is in order, methinks. Fortunately I have a friend who knows how to do that very thing. Ready? Fire up your terminal window and prepare for root access....

First, back up your iptables file so that if you mistype something (or I mistype something here and you copy it correctly...) you'll have a backup.

cd /etc/sysconfig
cp iptables iptables.bak

My text editor of choice is vi, but you can use whatever you'd like.

vi iptables

Now, again, I must warn you that messing with this file is not recommended and while what I have done has worked for me, I cannot promise anything for anyone else's situations.

If your iptables file looks anything like mine, you should have a bunch of lines that end in ACCEPT and then a REJECT line. Here's what I added after the last ACCEPT line and before the REJECT line (the text below may be broken onto several lines on your screen, but it should all be on one line in your iptables file). Use your own IP address in place of, of course...

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s --dport 3306 -j ACCEPT

That's it! What it does is allow for a single IP address to connect to port 3306, and that is the necessary connection for using CocoaMySQL (well, for MySQL in general).

Now you'll need to restart iptables. While still logged as root type:

service iptables restart

You should get an [OK] for the iptables stopping, and then two or three more [OK]'s as the iptables start up again.

IF the iptables fail to start back up, you should immediately delete or rename the iptables file that you just modified, then mv iptables.bak iptables and then try restarting the service again. If the IP tables fail to start back up, you will be running without a firewall, which isn't a good thing!

Once again, messing with the iptables file is done so at your own risk.

If everything was successful, you should now be able to connect to your MySQL databases using CocoaMySQL. And this is a nice secure way to allow yourself access without opening up the MySQL port to the entire world. Good luck! (And thanks, Tod!)