iptables to redirect ports?

mtndew · 04-21-2006, 05:13 PM

Hi all,

I'm working with a poorly-written closed source program right now that interfaces with a webstore. The configuration has the following values only:

MySQL Server, MySQL Username, MySQL Password, MySQL Database, FTP Username, FTP Password, FTP Path

Notice there is NO FTP server. Using ethereal I have determined that it uses the same IP address as the MySQL server. Unfortunately, MySQL is on a different server (apparently this company doesn't think doing so is possible!)

So my question to the linux network experts is, How can I use iptables to redirect port 21 to one server, and port 3306 to another server? The FTP and MySQL servers are not on the LAN, btw, they are on the WAN.

What I am hoping to do is insert a LAN IP into this program for the MySQL server, which would be that of my Linux box, and have it redirect to the WAN IPs based on the ports. I am fairly sure this can be done, but if not just say so.

Thanks for the help you guys provide here!

Poetics · 04-21-2006, 07:10 PM

I'm sure you've looked up iptables port forwarding, and though this resource is for internal forwarding and not redirects, it may be able to give you some ideas: http://www.hackorama.com/network/portfwd.shtml

michaelsanford · 04-21-2006, 07:37 PM

Code:

OTHER="216.239.59.104"
YOU="10.0.0.1"
$WAN="ppp0"

iptables -t nat -A PREROUTING -p tcp -i $WAN -d $YOU --dport 3306 -j DNAT --to $OTHER:3306
/sbin/iptables -A FORWARD -p tcp -i eth0 -d $YOU --dport 3306 -j ACCEPT

Repeat as needed.

zaichik · 04-21-2006, 07:42 PM

Hi mntdew,

I don't think this is going to work for you. It looks to me as though the program is designed to run on the FTP server, which is why there is no possibility of specifying it; it's assumed to be localhost.

I might be wrong, but the way I envision your set up is Box1 is running the program that interfaces with the webstore; Box2 has the FTP server on it, and Box3 is running MySQL. You want the FTP traffic that Box1 receives to be forwarded to Box2 via iptables, while the MySQL traffic can be handled by the program (since the MySQL host server can be configured).

The problem I see is this: If the program needs to be told the FTP username, password, and path, it seems to me that information will not be provided by the remote users. Thus, you could (possibly) forward the port 21 traffic to a different host, perhaps using:

Code:

iptables -A PREROUTING -t nat -p -tcp -d $PUBLICIP --dport 21 -j DNAT --to $OTHERHOSTIP:21

(disclaimer -- untested)

However, *if* that works, the packets so forwarded will not have the information needed to establish and maintain an FTP session: If they did, then why does the program require that configuration information? Since iptables works at a (much) lower level, the program will not ever see the traffic forwarded off by iptables. So why ask for FTP information at all?

If you cannot specify the FTP host, then the FTP host must either be hard-coded, or be assumed to be the localhost, or is configured elsewhere. If it is the localhost (from my understanding above, Box2), then...why use FTP at all?

Or maybe I'm missing something...it *has* been a rather long day.

mtndew · 04-21-2006, 10:03 PM

Alright, thanks all, I figured it out from the above informations. The FTP server uses the same server as the mysql. I've confirmed this by running ethereal and changing the mysql server and watching the IP stay the same as the SQL server for each.