Hey, I'd love a hint or two on the following problem. I've set up iptables rules to forward all connections to port 3306 to a non-standard mysql port on a remote server. This works, except that I need to deal with the loopback interface in a special way and I'm stuck.
Since locally-generated packets will never hit the PREROUTING rule, you'll need to setup a near identical rule using OUTPUT to make it work. Here is what I've tried:Code:iptables -t nat -A PREROUTING -p tcp --dport 3306 -j DNAT --to 128.XXX.XXX.XXX:3197 iptables -A FORWARD -p tcp -d 128.XXX.XXX.XXX --dport 3197 -j ACCEPT iptables -t nat -A POSTROUTING -j MASQUERADE
Code:iptables -t nat -A OUTPUT -p tcp -o lo --dport 3306 -j DNAT --to 128.XXX.XXX.XXX:3197
With all of these rules in place, I can connect to another server and n telnet to 3306 on this server and this results in a response from mysql on the remote server. BUT from this server I cannot 'telnet localhost 3306' and get a mysql connection. When I try that, the telnet connection hangs open with no response.
Here are what my chains look like:
Thanks for any help!Code:# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere mysql.example.com tcp dpt:embrace-dp-s Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Firewall-1-INPUT (0 references) target prot opt source destination iptables -L -t nat -v Chain PREROUTING (policy ACCEPT 131 packets, 61868 bytes) pkts bytes target prot opt in out source destination 1 60 DNAT tcp -- any any anywhere anywhere tcp dpt:mysql to:128.XXX.XXX.XXX:3197 Chain POSTROUTING (policy ACCEPT 23 packets, 1470 bytes) pkts bytes target prot opt in out source destination 204 13161 MASQUERADE all -- any any anywhere anywhere Chain OUTPUT (policy ACCEPT 826 packets, 53871 bytes) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- any lo anywhere anywhere tcp dpt:mysql to:128.XXX.XXX.XXX:3197
Bookmarks