LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 02-12-2009, 06:46 PM   #1
mycoolwater
LQ Newbie
 
Registered: Apr 2008
Posts: 7

Rep: Reputation: 0
iptables to forward mysql traffic to another server


My current script is:
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 3306 -j DNAT --to-destination x.x.x.x:3306
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

It is slim, clean, and working nicely. But the problem is that this is using NAT, and the actual mysql server can't determine where the traffic actually coming of - it only knows that the traffic comes from. Any walk around with iptables that allow a server pass mysql traffic to another mysql server with detail of ip address being passed on?
 
Old 02-13-2009, 03:38 PM   #2
maas187
Member
 
Registered: Aug 2008
Location: Yemen
Distribution: Fedora, CentOS, RedHat , OpenFiler, ESXI
Posts: 210

Rep: Reputation: 32
Post

Quote:
Originally Posted by mycoolwater View Post
My current script is:
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 3306 -j DNAT --to-destination x.x.x.x:3306
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

It is slim, clean, and working nicely. But the problem is that this is using NAT, and the actual mysql server can't determine where the traffic actually coming of - it only knows that the traffic comes from. Any walk around with iptables that allow a server pass mysql traffic to another mysql server with detail of ip address being passed on?


Try this.

### " ALL MYSQL TRAFFIC, 'Local' PORT (3306) TO 'Remote' PORT (3306) ...."

iptables -t nat -A PREROUTING -p tcp -i eth0 -d X.X.X.X --dport 3306 -j DNAT --to x.x.x.x:3306

iptables -A FORWARD -p tcp -i eth0 -d x.x.x.x --dport 3306 -j ACCEPT


Hope it works with you .

Regards,
MaaS
 
Old 02-13-2009, 03:39 PM   #3
maas187
Member
 
Registered: Aug 2008
Location: Yemen
Distribution: Fedora, CentOS, RedHat , OpenFiler, ESXI
Posts: 210

Rep: Reputation: 32
Post

[QUOTE=maas187;3442715]Try this.

### " ALL MYSQL TRAFFIC, 'Local' PORT (3306) TO 'Remote' PORT (3306) ...."

iptables -t nat -A PREROUTING -p tcp -i eth0 -d X.X.X.X --dport 3306 -j DNAT --to x.x.x.x:3306

iptables -A FORWARD -p tcp -i eth0 -d x.x.x.x --dport 3306 -j ACCEPT


Sorry forgot this.


iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE


take care.
 
Old 02-15-2009, 04:07 PM   #4
mycoolwater
LQ Newbie
 
Registered: Apr 2008
Posts: 7

Original Poster
Rep: Reputation: 0
Thanks maas187, i tried exactly what you suggested, but no luck.

So maybe my original post is not clear enough... here is the scenario:

x.x.x.x (client X) --> y.y.y.y (app server Y) --> z.z.z.z (mysql server Z)

I tried to pass ip of client, X (can be any external IP in the world), to Z machine via iptables inside Y.

After maas187 suggestion, my iptables command:
Code:
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -t nat -A PREROUTING -p tcp -i eth0 -d y.y.y.y --dport 3306 -j DNAT --to z.z.z.z:3306
iptables -A FORWARD -p tcp -i eth0 -d y.y.y.y --dport 3306 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
This is the result of
Code:
tcpdump -l -n -i eth0 port 3306
in Z:

Code:
08:29:54.364275 IP y.y.y.y.41510 > z.z.z.z.mysql: S 224958559:224958559(0) win 5840 <mss 1460,sackOK,timestamp 1071510064 0,nop,wscale 0>
08:29:54.364297 IP z.z.z.z.mysql > y.y.y.y.41510: S 1243310729:1243310729(0) ack 224958560 win 5792 <mss 1460,sackOK,timestamp 1345070385 1071510064,nop,wscale 7>
08:29:54.365444 IP y.y.y.y.41510 > z.z.z.z.mysql: . ack 1 win 5840 <nop,nop,timestamp 1071510064 1345070385>
08:29:54.365572 IP z.z.z.z.mysql > y.y.y.y.41510: P 1:79(78) ack 1 win 46 <nop,nop,timestamp 1345070386 1071510064>
08:29:54.366540 IP y.y.y.y.41510 > z.z.z.z.mysql: . ack 79 win 5840 <nop,nop,timestamp 1071510064 1345070386>
08:29:55.833628 IP y.y.y.y.41510 > z.z.z.z.mysql: P 1:3(2) ack 79 win 5840 <nop,nop,timestamp 1071510211 1345070386>
08:29:55.833655 IP z.z.z.z.mysql > y.y.y.y.41510: . ack 3 win 46 <nop,nop,timestamp 1345071854 1071510211>
08:29:57.998865 IP y.y.y.y.41510 > z.z.z.z.mysql: P 3:9(6) ack 79 win 5840 <nop,nop,timestamp 1071510428 1345071854>
08:29:57.998904 IP z.z.z.z.mysql > y.y.y.y.41510: . ack 9 win 46 <nop,nop,timestamp 1345074020 1071510428>
08:29:57.998942 IP z.z.z.z.mysql > y.y.y.y.41510: P 79:99(20) ack 9 win 46 <nop,nop,timestamp 1345074020 1071510428>
08:29:57.998975 IP z.z.z.z.mysql > y.y.y.y.41510: F 99:99(0) ack 9 win 46 <nop,nop,timestamp 1345074020 1071510428>
08:29:57.998990 IP z.z.z.z.mysql > y.y.y.y.41510: R 100:100(0) ack 9 win 46 <nop,nop,timestamp 1345074020 1071510428>
08:29:58.000014 IP y.y.y.y.41510 > z.z.z.z.mysql: . ack 99 win 5840 <nop,nop,timestamp 1071510428 1345074020>
08:29:58.000023 IP z.z.z.z.mysql > y.y.y.y.41510: R 1243310828:1243310828(0) win 0
As above, the ip address of X is masked to Y (because of NAT/PREROUTING rule???) and Z only knows of Y ip address. So the question, is possible to modify the iptables in Y so mysql server in Z can understand the traffic coming from X?
 
Old 02-16-2009, 09:32 PM   #5
maas187
Member
 
Registered: Aug 2008
Location: Yemen
Distribution: Fedora, CentOS, RedHat , OpenFiler, ESXI
Posts: 210

Rep: Reputation: 32
Post

Quote:
Originally Posted by mycoolwater View Post
Thanks maas187, i tried exactly what you suggested, but no luck.

So maybe my original post is not clear enough... here is the scenario:

x.x.x.x (client X) --> y.y.y.y (app server Y) --> z.z.z.z (mysql server Z)

I tried to pass ip of client, X (can be any external IP in the world), to Z machine via iptables inside Y.

After maas187 suggestion, my iptables command:
Code:
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -t nat -A PREROUTING -p tcp -i eth0 -d y.y.y.y --dport 3306 -j DNAT --to z.z.z.z:3306
iptables -A FORWARD -p tcp -i eth0 -d y.y.y.y --dport 3306 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
This is the result of
Code:
tcpdump -l -n -i eth0 port 3306
in Z:

Code:
08:29:54.364275 IP y.y.y.y.41510 > z.z.z.z.mysql: S 224958559:224958559(0) win 5840 <mss 1460,sackOK,timestamp 1071510064 0,nop,wscale 0>
08:29:54.364297 IP z.z.z.z.mysql > y.y.y.y.41510: S 1243310729:1243310729(0) ack 224958560 win 5792 <mss 1460,sackOK,timestamp 1345070385 1071510064,nop,wscale 7>
08:29:54.365444 IP y.y.y.y.41510 > z.z.z.z.mysql: . ack 1 win 5840 <nop,nop,timestamp 1071510064 1345070385>
08:29:54.365572 IP z.z.z.z.mysql > y.y.y.y.41510: P 1:79(78) ack 1 win 46 <nop,nop,timestamp 1345070386 1071510064>
08:29:54.366540 IP y.y.y.y.41510 > z.z.z.z.mysql: . ack 79 win 5840 <nop,nop,timestamp 1071510064 1345070386>
08:29:55.833628 IP y.y.y.y.41510 > z.z.z.z.mysql: P 1:3(2) ack 79 win 5840 <nop,nop,timestamp 1071510211 1345070386>
08:29:55.833655 IP z.z.z.z.mysql > y.y.y.y.41510: . ack 3 win 46 <nop,nop,timestamp 1345071854 1071510211>
08:29:57.998865 IP y.y.y.y.41510 > z.z.z.z.mysql: P 3:9(6) ack 79 win 5840 <nop,nop,timestamp 1071510428 1345071854>
08:29:57.998904 IP z.z.z.z.mysql > y.y.y.y.41510: . ack 9 win 46 <nop,nop,timestamp 1345074020 1071510428>
08:29:57.998942 IP z.z.z.z.mysql > y.y.y.y.41510: P 79:99(20) ack 9 win 46 <nop,nop,timestamp 1345074020 1071510428>
08:29:57.998975 IP z.z.z.z.mysql > y.y.y.y.41510: F 99:99(0) ack 9 win 46 <nop,nop,timestamp 1345074020 1071510428>
08:29:57.998990 IP z.z.z.z.mysql > y.y.y.y.41510: R 100:100(0) ack 9 win 46 <nop,nop,timestamp 1345074020 1071510428>
08:29:58.000014 IP y.y.y.y.41510 > z.z.z.z.mysql: . ack 99 win 5840 <nop,nop,timestamp 1071510428 1345074020>
08:29:58.000023 IP z.z.z.z.mysql > y.y.y.y.41510: R 1243310828:1243310828(0) win 0
As above, the ip address of X is masked to Y (because of NAT/PREROUTING rule???) and Z only knows of Y ip address. So the question, is possible to modify the iptables in Y so mysql server in Z can understand the traffic coming from X?
Ok . i get it now. this is my configuration iptables list the i used for one of my friends to forward any HTTP,MYSQL and other services to an internal server. example as you said.
X = any IP
Y = iptables gateway and firewall. that has 2 NIC eth0=External and eth1=Internal
Z = internal Server, which hosts http and mysql.

feel free to modify and play around with this script. and tell me how is gose.
#################################################################

############### GATEWAY SETTINGS ...


### Flush and Delete Old Settings ...

service iptables restart
iptables -X
iptables -F

iptables -P INPUT DROP
iptables -P OUTPUT DROP

### " ALL HTTP TRAFFIC FROM Y, PORT (80) TO Z PORT (80) ...."
iptables -t nat -A PREROUTING -p tcp -i eth0 -d Y.Y.Y.Y --dport 80 -j DNAT --to Z.Z.Z.Z:80
iptables -A FORWARD -p tcp -i eth0 -d Z.Z.Z.Z --dport 80 -j ACCEPT

### " ALL MYSQL TRAFFIC FROM Y, PORT (3306) TO Z PORT (3306) ...."
iptables -t nat -A PREROUTING -p tcp -i eth0 -d Y.Y.Y.Y --dport 3306 -j DNAT --to Z.Z.Z.Z:3306
iptables -A FORWARD -p tcp -i eth0 -d Z.Z.Z.Z --dport 3306 -j ACCEPT

### "FORWARD PACKETS ON EH0 AND EH1 ...."
echo 1 > /proc/sys/net/ipv4/ip_forward

### "MASQUERADE ON EH0 FOR NAT ...."
iptables -t nat -A POSTROUING -o eth3 -j MASQUERADE

# DONE . let me know

# Take care
### Regards,
### MaaS
 
Old 02-20-2009, 01:22 AM   #6
fotoguy
Senior Member
 
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: KirraMail Live Email Server
Posts: 1,279

Rep: Reputation: 61
Try dropping the masquerading rule, this will always change the ipaddress to the gateway, which you obviously don't want.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables: forward traffic through server Swakoo Linux - Networking 3 03-30-2008 11:59 PM
how does IPTABLES -A FORWARD two way traffic without using connection tracking? farhan Linux - Security 4 09-05-2007 12:31 PM
How can I forward all traffic to 10.10.0.10:80 to 10.10.0.20:8080 using IPtables? abefroman Linux - Networking 1 10-06-2005 03:19 PM
iptables forward traffic alaios Linux - Networking 1 09-28-2005 04:43 AM
Trying to forward web traffic through firewall w/ IPTABLES ShinySteelRobot Linux - Networking 6 08-17-2003 05:43 PM


All times are GMT -5. The time now is 09:17 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration