Thanks eantoraz,
First I setup my rules again: Code:
[root@adm-10-cms ~]# iptables -F Code:
[root@adm-10-cms ~]# tcpdump -i eth0 -p tcp and port 3197 -n -v Code:
[root@adm-10-cms ~]# tcpdump -i lo -p tcp and port 3197 -n -v Code:
[root@adm-10-cms ~]# telnet localhost 3306 Code:
0 packets captured Code:
[root@adm-10-cms ~]# tcpdump -i lo -p tcp and port 3306 -n -v Code:
[root@adm-10-cms ~]# tcpdump -i lo -p tcp and port 3307 -n -v Code:
[root@adm-10-cms ~]# iptables -t nat -D OUTPUT -p tcp -o lo --dport 3306 -j DNAT --to 128.xxx.xxx.xxx:3197 |
With the rules you set in place, do the tcpdump on -i lo and try the telnet localhost 3306 and tell us what comes out.
|
And is the counter of the -t nat OUTPUT rule you set increasing when you do the telnet?
|
Oh, I saw you tried the tcpdump listening on -i lo so skip that test for now. Tell me about the counter, because that traffic must be going somewhere, right?
|
I would think that the problem here is that there's code on the network stack doing checkups after OUTPUT that when looking at the packet (source address: 127.0.0.1, dest addres: something not in loopback) drops it for not being "consistent".... perhaps someone knows about this? And perhaps could sysconf be used to disable such checkup?
|
Quote:
Code:
[root@adm-10-cms ~]# tcpdump -i lo -v The counter is incrementing. I see: Code:
[root@adm-10-cms ~]# iptables -L -nvx -t nat Code:
Chain OUTPUT (policy ACCEPT 108 packets, 7372 bytes) |
Quote:
http://www.linuxquestions.org/questi...21#post3909121 Since this is a locally-generated packet it is never going to hit this rule Code:
iptables -A FORWARD -p tcp -d 128.xxx.xxx.xxx --dport 3197 -j ACCEPT Code:
iptables -t nat -A OUTPUT -p tcp -o lo --dport 3306 -j DNAT --to 128.xxx.xxx.xxx:3197 |
Well, FORWARD is not touched by packets that are going out from OUTPUT so don't worry cause it doesn't affect you.
I think it's because of the source address inconsistency, I think. Check out this article I just found (a little dated, by the way): http://lists.netfilter.org/pipermail...er/040104.html So, how about other tricks? Why do you need locally generated connections on local port 3306 to get connected to a remote host in the first place? In case it's a _must_, wouldn't a SSH tunnel (or a simpler approach) work for you? In case you want to try the ssh runnel trick, remove the OUTPUT rule doing the DNAT to remote:3197 and run this command on that same host: ssh -nNT -L 3306:remote-server:3197 user@localhost After the connection is established (you will know because after a few seconds the command won't return), try telnet localhost 3306 Maybe there are simpler approaches but _at least_ I bet that one will work. |
It _has_ to be the IP address inconsistency.
With all your rules in place, try to do a telnet to your local IP address on the intranet (instead of localhost). That way, it did work with your DNAT trick. |
At least, it did work for me.
|
Quote:
Quote:
Will try telnet to ipaddr tomorrow and report back. If that works, I may look into snat. Thanks.; |
The ssh tunnel as I told you to use it yesterday requires no ssh on the mysql server but on the host you are working instead (the one where you want local connections to port 3306 to be sent to a remote server port 3197).
|
Thanks again for all the help!
You are right. Telnetting to anything other than localhost works: Code:
[root@adm-10-cms ~]# telnet 169.xxx.xxx.xxx 3306 Thanks for enlightening me on the ssh tunnel. I assumed that you needed sshd running on the target server. Since you don't I'm pursuing this option since it is way simpler. Always good to know more about iptables though! |
I think your problem is really solved here (I mean, solved the iptables way) :
http://unix.stackexchange.com/questi...s-to-127-0-0-1 you need to activate local routing on your outbound interface. if eth0 : sysctl -w net.ipv4.conf.eth0.route_localnet=1 it seems to be like security feature hope it helps some people coming to this question ! |
All times are GMT -5. The time now is 02:08 AM. |