> On Tuesday 15 June 2004 7:41 pm, Jonathan Villa wrote: > >> I have more information now. >> >> Here is the background: >> A machine running MySQL is to be locked down for access only to a select >> group of people working from home and people at the office, hence the >> xx.xx.xx.0 > > Is the MySQL machine on the same subnet as the office people trying to > access > it, or is there a firewall in between, with the MySQL on a DMZ network? Sad to say, but there is no firewall. Machines are open to the world, hence the xxx.xxx.xxx.xxx everywhere. > If it's the latter, are you sure your office machines aren't being > masqueraded > in some way by the firewall when they try to access the MySQL server, so > that > it sees an address on the firewall instead of the real address of the > clients? > >> I've noticed that the script works fine for anyone who is not on the >> network but for those who are, well the rules block access to them all >> the >> time. > > I suggest you add a LOGging rule at the bottom of the INPUT chain and see > what > source address the packets which are not being ACCEPTed are coming from. Good point. Since I am fairly new to iptables, I usually carry my book with me, unfortunately, I don't have it today. But I will implement lots of logging to help once I figure out how to :) > Regards, > > Antony. > >