#StackBounty: #networking #firewall #mysql Cannot connect mysql on virtual interface 10.0.0.x

Bounty: 100

I have a trouble to connect mysql running on 10.0.0.5 from 10.0.0.4. This is a virtual network created in Hetzner interface. I think mysql is configured correctly according to a documentation.

enter image description here

Backend 10.0.0.4

root@backend:~# mysql -u root --host=10.0.0.5 --protocol=tcp --port=3306
ERROR 2002 (HY000): Can't connect to MySQL server on '10.0.0.5' (115)
root@backend:~# mysql -u literakl --host=10.0.0.5 --protocol=tcp --port=3306 -p
Enter password:
ERROR 2002 (HY000): Can't connect to MySQL server on '10.0.0.5' (115)

root@backend:~# telnet 10.0.0.5 3306
Trying 10.0.0.5...
telnet: Unable to connect to remote host: No route to host

root@backend:~# ssh root@10.0.0.5
The authenticity of host '10.0.0.5 (10.0.0.5)' can't be established.
ECDSA key fingerprint is SHA256:iDrbbDdMK1XKRrb0O3lZ899K/oQmTFtu4ju75h+te0Y.
10.0.0.5

root@backend:~# ping 10.0.0.5
PING 10.0.0.5 (10.0.0.5) 56(84) bytes of data.
64 bytes from 10.0.0.5: icmp_seq=1 ttl=63 time=1.75 ms

root@backend:~# nmap 10.0.0.0/24
Starting Nmap 7.70 ( https://nmap.org ) at 2021-06-30 20:35 CEST
Nmap scan report for 10.0.0.5
Host is up (0.0011s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh
Nmap done: 256 IP addresses (5 hosts up) scanned in 150.32 seconds

Secondary 10.0.0.5

root@secondary:~# less /etc/mysql/mariadb.conf.d/50-server.cnf
bind-address            = 0.0.0.0
#skip-networking=1
#skip-bind-address

root@secondary:~# ufw status
Status: active
33060                      ALLOW       10.0.0.4
33061                      ALLOW       10.0.0.4
3306                       ALLOW       10.0.0.4
3306/tcp                   ALLOW       Anywhere
3306/tcp (v6)              ALLOW       Anywhere (v6)

root@secondary:~# netstat -ln | grep mysql
unix  2      [ ACC ]     STREAM     LISTENING     9927594  /run/mysqld/mysqld.sock

root@secondary:~# lsof -i -P -n | grep LISTEN
mysqld    6749 mysql   21u  IPv4 9927593      0t0  TCP *:3306 (LISTEN)

root@secondary:~# telnet 10.0.0.5 3306
Trying 10.0.0.5...
Connected to 10.0.0.5.
5.5.5-10.3.29-MariaDB-0+deb10u1$(u:]H1mysql_native_password

root@secondary:~# ip address
3: ens10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 86:00:00:b8:0d:95 brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.5/32 brd 10.0.0.5 scope global dynamic ens10
       valid_lft 54105sec preferred_lft 54105sec
    inet6 fe80::8400:ff:feb8:d95/64 scope link
       valid_lft forever preferred_lft forever

root@secondary:~# mysql -u literakl --host=10.0.0.5 --protocol=tcp --port=3306 -p
Your MariaDB connection id is 37
Server version: 10.3.29-MariaDB-0+deb10u1 Debian 10

MariaDB [(none)]> SELECT User, Host FROM mysql.user;
| User             | Host      |
| literakl         | %         |
| literakl         | localhost |

I wonder, what could be wrong? The port 3306 is open on the secondary service. I have even tried to turn off the firewall on both servers but still no luck. Weird.

Update 1:

root@secondary:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         172.31.1.1      0.0.0.0         UG    0      0        0 eth0
10.0.0.0        10.0.0.1        255.255.0.0     UG    0      0        0 ens10
10.0.0.1        0.0.0.0         255.255.255.255 UH    0      0        0 ens10
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
172.18.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker_gwbridge
172.31.1.1      0.0.0.0         255.255.255.255 UH    0      0        0 eth0

root@secondary:~# ip route list
default via 172.31.1.1 dev eth0
10.0.0.0/16 via 10.0.0.1 dev ens10
10.0.0.1 dev ens10 scope link
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
172.18.0.0/16 dev docker_gwbridge proto kernel scope link src 172.18.0.1
172.31.1.1 dev eth0 scope link

root@secondary:~# arp -a
? (10.0.0.1) at d2:74:7f:6e:37:e3 [ether] on ens10
? (172.18.0.3) at 02:42:ac:12:00:03 [ether] on docker_gwbridge
? (172.31.1.1) at d2:74:7f:6e:37:e3 [ether] on eth0
11214.your-cloud.host (195.201.66.70) at 2e:bb:61:a6:0f:84 [ether] on eth0


Get this bounty!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.