Hey, I'd love a hint or two on the following problem. I've set up iptables rules to forward all connections to port 3306 to a non-standard mysql port on a remote server. This works, except that I need to deal with the loopback interface in a special way and I'm stuck.
Code:
iptables -t nat -A PREROUTING -p tcp --dport 3306 -j DNAT --to 128.XXX.XXX.XXX:3197
iptables -A FORWARD -p tcp -d 128.XXX.XXX.XXX --dport 3197 -j ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADE
Since locally-generated packets will never hit the PREROUTING rule, you'll need to setup a near identical rule using OUTPUT to make it work. Here is what I've tried:
Code:
iptables -t nat -A OUTPUT -p tcp -o lo --dport 3306 -j DNAT --to 128.XXX.XXX.XXX:3197
With all of these rules in place, I can connect to another server and n telnet to 3306 on this server and this results in a response from mysql on the remote server. BUT from this server I cannot 'telnet localhost 3306' and get a mysql connection. When I try that, the telnet connection hangs open with no response.
Here are what my chains look like:
Code:
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere mysql.example.com tcp dpt:embrace-dp-s
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (0 references)
target prot opt source destination
iptables -L -t nat -v
Chain PREROUTING (policy ACCEPT 131 packets, 61868 bytes)
pkts bytes target prot opt in out source destination
1 60 DNAT tcp -- any any anywhere anywhere tcp dpt:mysql to:128.XXX.XXX.XXX:3197
Chain POSTROUTING (policy ACCEPT 23 packets, 1470 bytes)
pkts bytes target prot opt in out source destination
204 13161 MASQUERADE all -- any any anywhere anywhere
Chain OUTPUT (policy ACCEPT 826 packets, 53871 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- any lo anywhere anywhere tcp dpt:mysql to:128.XXX.XXX.XXX:3197
Thanks for any help!
Bookmarks