Can't connect to remote database on port 3306

[jasne]

Hello,
I have installed DirectAdmin 1.654 with enabled CSF firewall on Debian 11.
Php scripts can't connect to remote ip 1.2.3.4 port 3306 (connection refused)
On server I checked
debian@server:~$ telnet 1.2.3.4 3306 (where ip is public and port is open) and I get : telnet: Unable to connect to remote host: Connection refused

but if I try:
debian@server:~$ sudo -s
root@server:/home/debian# telnet 1.2.3.4 3306
it's ok , connected ...

Also I have added port 3306 in TCP IN OUT (IPv4) in CSF config
why this happen ?

 

[Zhenyapan]

so from this server ok, but on mysql server you must allow remote connections for selected user for needed database.

 

[jasne]

From my server is not ok if i try connect by php scripts, or debian user in ssh.
it's only ok if i connect as root in ssh

Remote mysql server (1.2.3.4) allow remote connections for any host

 

[Zhenyapan]

looks like you jailed? try disable jailshell for this account.

 

[Ohm J]

temporary disable csf firewall and recheck again.
I think you forgot to restart csf firewall.

Also trying add outgoing UDP:3306 .

p.s. root always allowed connection of csf firewall "OUT" for all port.

 

[Richard G]

Also check if outgoing port 3306 TCP on your server is opened, that ist he default Mysql port.

 

[jasne]

Guys..
What I did to check it:
1. CSF disabled
then
debian@server:~$ telnet 1.2.3.4 3306
connection refused.
php scripts also can't connect do database, (connection refused)

but if try as root:
debian@server:~# telnet 1.2.3.4 3306
connected, it's ok...

2. CSF enabled
add port 3306 to TCP_IN , TCP_OUT, UDP_IN, UDP_OUT , for both protocols IPv4 and IPv6
restart csf,
then check it, and result same like 1.

strange is also that connection refused from php scripts...
i can open this port from any other host...because it is public ip with opened port... but not from my server logged as debian , or script run

 

[Zhenyapan]

maybe your script requires some of disabled functions? jailshell disabled?

 

[jasne]

ok I solved.

csf -a 1.2.3.4

and now I can telnet to 1.2.3.4 3306 as debian user. Also php scripts can connect too...

strange thing because, even I disabled csf before, didn't work.
And also i didn't add this ip to deny list...

 

[Richard G]

strange thing because, even I disabled csf before, didn't work.

It might be some other firewall (maybe ufw) was still active or became active after csf was disabled.

 

[jasne]

It might be some other firewall (maybe ufw) was still active or became active after csf was disabled.

I don't use ufw. But probably, csf didn't clear iptables after disabled..
Anyway. I appreciate your help guys, thank you and have nice day/ night