[SOLVED] Iptables: how to redirect locally-generated packets to a remote server?

briwood · 03-22-2010, 10:13 PM

I'm trying to workaround a limitation in a server application. The limitation is that I can only connect to a LOCAL mysql database. I am trying to fool the server in to using a remote mysql database. I was hoping to do this by simply forwarding 3306 to another server on the same subnet.

To that end I've set up iptables rules to forward all connections to port 3306 to a non-standard mysql port on a remote server. This works, except that I need to deal with the loopback interface in a special way and I'm stuck.

Code:

iptables -t nat -A PREROUTING -p tcp --dport 3306 -j DNAT --to 128.XXX.XXX.XXX:3197
iptables -A FORWARD -p tcp -d 128.XXX.XXX.XXX --dport 3197 -j ACCEPT
iptables -t nat -A POSTROUTING  -j MASQUERADE

Since locally-generated packets will never hit the PREROUTING rule, you'll need to setup a near identical rule using OUTPUT to make it work. Here is what I've tried:

Code:

iptables -t nat -A OUTPUT -p tcp -o lo --dport 3306 -j DNAT --to 128.XXX.XXX.XXX:3197

With all of these rules in place, I can connect to another server and n telnet to 3306 on this server and this results in a response from mysql on the remote server. BUT from this server I cannot 'telnet localhost 3306' and get a mysql connection. When I try that, the telnet connection hangs open with no response.

Here are what my chains look like:

Code:

# iptables -L 
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             mysql.example.com tcp dpt:embrace-dp-s 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain RH-Firewall-1-INPUT (0 references)
target     prot opt source               destination      

iptables -L -t nat -v
Chain PREROUTING (policy ACCEPT 131 packets, 61868 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    1    60 DNAT       tcp  --  any    any     anywhere             anywhere            tcp dpt:mysql to:128.XXX.XXX.XXX:3197 

Chain POSTROUTING (policy ACCEPT 23 packets, 1470 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  204 13161 MASQUERADE  all  --  any    any     anywhere             anywhere            
Chain OUTPUT (policy ACCEPT 826 packets, 53871 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       tcp  --  any    lo      anywhere             anywhere            tcp dpt:mysql to:128.XXX.XXX.XXX:3197

Thanks for any help!

zhjim · 03-23-2010, 03:55 AM

Quote:

Originally Posted by briwood

Since locally-generated packets will never hit the PREROUTING rule, you'll need to setup a near identical rule using OUTPUT to make it work. Here is what I've tried:

Code:

iptables -t nat -A OUTPUT -p tcp -o lo --dport 3306 -j DNAT --to 128.XXX.XXX.XXX:3197

I doubt that local packages traverse the -t nat table. Try the command without the -t option.

Or to just be sure where things are growing dim use something like this.

Code:

iptables -I OUTPUT -j LOG --log-prefix "Out: " --log-tcp-options

do this for all the chains.

win32sux · 03-23-2010, 04:04 AM

Quote:

Originally Posted by zhjim

I doubt that local packages traverse the -t nat table.

They do. See chapter 6 of Oskar Andreasson's famous tutorial.

Do an "iptables -nvL -t nat" on your box to see the packet counters with your own eyes.

briwood · 03-23-2010, 10:17 AM

Yes in fact in table 3-2 at http://www.faqs.org/docs/iptables/tr...goftables.html it says:

source of packet = local process
table=nat
chain=output:

Quote:

This chain can be used to NAT outgoing packets from the firewall itself.

Quote:

Originally Posted by win32sux

Do an "iptables -nvL -t nat" on your box to see the packet counters with your own eyes.

Here it is again:

Code:

# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 53 packets, 24986 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    1    60 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:3306 to:128.xxx.xxx.xxx:3197 

Chain POSTROUTING (policy ACCEPT 4 packets, 258 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  194 12506 MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 197 packets, 12704 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       tcp  --  *      lo      0.0.0.0/0            0.0.0.0/0           tcp dpt:3306 to:128.xxx.xxx.xxx:3197

That -t nat OUTPUT rule is:

Code:

iptables -t nat -A OUTPUT -p tcp -o lo --dport 3306 -j DNAT --to 128.xxx.xxx.xxx:3197

Without that -t nat OUTPUT rule:

Code:

# telnet localhost 3306
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused
telnet: Unable to connect to remote host: Connection refused

With that -t nat OUTPUT rule:

Code:

[root@adm-10-cms ~]# telnet localhost 3306
Trying 127.0.0.1...

(hangs...^C)

hmm...

briwood · 03-23-2010, 10:47 AM

Looking at http://tinyurl.com/yhqr5no I believe that the problem is that once I do the DNAT in -t nat, the packet will not traverse the FORWARD chain. So I think what needs to be done is to resend the packet back to this host so that it originates from eth0 and gets processed by those rules. I tried:

Code:

iptables -t nat -A OUTPUT -p tcp -o lo --dport 3306 -j DNAT --to 169.xxx.xxx.xxx:3306

(169.xxx is the ip of this machine.)

...but that's not quite it.

nimnull22 · 03-23-2010, 10:56 AM

Quote:

Originally Posted by briwood

...

Code:

iptables -t nat -A OUTPUT -p tcp -o lo --dport 3306 -j DNAT --to 128.XXX.XXX.XXX:3197

With all of these rules in place, I can connect to another server and n telnet to 3306 on this server and this results in a response from mysql on the remote server. BUT from this server I cannot 'telnet localhost 3306' and get a mysql connection. When I try that, the telnet connection hangs open with no response.

Thanks for any help!

Can you please, explain, what do you mean by: "BUT from this server I cannot 'telnet localhost 3306' and get a mysql connection"

You can easily telnet to different port and then in iptables use REDIRECT to turn packets to localhost ANY port.

briwood · 03-23-2010, 11:19 AM

Quote:

Originally Posted by nimnull22

Can you please, explain, what do you mean by: "BUT from this server I cannot 'telnet localhost 3306' and get a mysql connection"

The server where I'm modifying iptables is adm-10-cms:

Code:

[root@adm-10-cms ~]# telnet localhost 3306
Trying 127.0.0.1...

(hangs...^C)

Connecting from a different server:

Code:

[bwood@dev-10-cms ~]$ telnet 169.xxx.xxx.xxx 3306
Trying 169.xxx.xxx.xxx...
Connected to adm-10-cms.example.com (169.xxx.xxx.xxx).
Escape character is '^]'.
8
5.0.67-log��VR{4/1EG,�!u:^K=/ph;.qr^]
telnet> quit
Connection closed.
[bwood@dev-10-cms ~]$

As you can see I get a response from the remote mysql server when I initiate the connection from dev-10-cms, but I do not when I initiate the connection from adm-10-cms. I need to be able to initate the connection from adm-10-cms.

(Mysql is not running on adm-10-cms. I am definitley getting a response from the 128.xxx box mentioned above.)

eantoranz · 03-23-2010, 11:20 AM

If fails when you telnet to localhost port 3306, right?

I'd _guess_ it's because you do a DNAT but probably the source IP address that's set on those packets is still set to 127.0.0.1, isn't that right?

Try snatting or masquerading all traffic to the real mysql server so that it sees your IP address on that network interface, otherwise the mysql server will get 127.0.0.1 as the source address of those packets and won't be able to reply back.

nimnull22 · 03-23-2010, 11:30 AM

Use REDIRECT rule in iptables to turn local port <ANY> to local port <ANY>.

briwood · 03-23-2010, 11:39 AM

Quote:

Originally Posted by nimnull22

Use REDIRECT rule in iptables to turn local port <ANY> to local port <ANY>.

Are you saying to do what I tried in #5:

Code:

iptables -t nat -A OUTPUT -p tcp -o lo --dport 3306 -j DNAT --to 169.xxx.xxx.xxx:3306

but to leave out the "--dport 3306" and remove the ":3306"?

briwood · 03-23-2010, 11:42 AM

Quote:

Originally Posted by eantoranz

If fails when you telnet to localhost port 3306, right?

I'd _guess_ it's because you do a DNAT but probably the source IP address that's set on those packets is still set to 127.0.0.1, isn't that right?

Try snatting or masquerading all traffic to the real mysql server so that it sees your IP address on that network interface, otherwise the mysql server will get 127.0.0.1 as the source address of those packets and won't be able to reply back.

I guess I could try that as a test. In reality I only want mysql connections to go to the real mysql server. Http and other connections should still come to adm-10-cms.

nimnull22 · 03-23-2010, 11:55 AM

wait, wait, you confuse me.
nat -A OUTPUT - is located BEFORE router. So, you need to do things different way.

You need to connect to port 3306 on local and remote host - no problems.
But you need separate connections. In that case you can choose port 3306 for local and 4444 for remote server.
Now your iptables rules should be next:
iptables -t nat -A OUTPUT -p tcp -o lo --dport 4444 -j DNAT --to 169.xxx.xxx.xxx:3306

Now packets to port 3306 will not match any rules and go to local host as it suppose to be.
But packets to 4444 will match our rule and NAT will change destination.

eantoranz · 03-23-2010, 12:04 PM

Sure... just add filters to the rule in -t nat POSTROUTING that will match only traffic you care to masquerade/snat.

And just to make sure: it fails when you try to connect to telnet localhost 3306 (which is supposed to end up connecting to a remote mysql server), is that right?

eantoranz · 03-23-2010, 12:09 PM

But I'm seeing in your rules that you are masquerading all traffic that's going out... so the problem is not what I'm describing. Let me read it again to see what's going on.

eantoranz · 03-23-2010, 12:13 PM

can you do a tcpdump on your network interface that connects to the nerwork where the remote mysql server is?

something like:
tcpdump -i blah -p tcp and port 3197 -n -v

and then try to do the telnet and see what addresses/ports are showing up?