I'm trying to open my webserver up so that users can connect through MyODBC and do their database work (no choice here)... I have this line:

# MySQL server (3306)
$IPCHAINS -A input -i $EXT -p tcp \
--source-port $UNPRIVPORTS \
-d $IP 3306 -j ACCEPT -l

$IPCHAINS -A output -i $EXT -p tcp ! -y \
-s $IP 3306 \
--destination-port $UNPRIVPORTS -j ACCEPT


where $UNPRIVPORTS is 1024:65535... this should be enough to allow the connection since the server runs on port 3306, right? I know it's the firewall because I can connect just fine if it's down... so does anyone know what I've missed?

That seems like it should be enough. You might want to try/check these things:

The order of your rules. Are there any rules previous to these that will block that port.

Specify the range of ip address for the client machines. Try adding any/0 or the range of your client subnet, instead of simply specifying the port range. I'm not sure if this is necessary, but it may help.

Are you blocking passive-mode ftp? Blocking this usually closes unprivlaged ports on the machine. If so, see where that rule falls in the chain set.

Also, try putting a -l after rules you suspect my be blocking that port, then reading /var/log/messages to see which rule is screweing things up.

I don't see anything... :(
The only stuff being blocked deals with NFS, Open Windows, XWindows, and SOCKS, but none of that overlaps the 3306... everything beyond that up to the MySQL stuff is accepted... thanks though, I didn't even think to check for that overlapping of ports...

Firewalls can be tricky to debug. Though it takes a while, when mine isn't working correctly, I either go through it and comment out, then uncomment each rule set, one at a time, until if find the culprit, or do the same thing with the -l option. It takes a while and sucks to do, but it will tell you exactly which rule is blocking that port.

well now I feel really stupid... I had this line:

$IPCHAINS -s $CLASS_A DENY

which denies all 10.0.0.0/8 packets... but the thing is, that's the class our private network uses... it didn't occur to me that all web connections go through our proxy (a real IP), so they got let through... I changed that line to ALLOW and everything works perfectly... :\