NAT & MySQL

NAT & MySQL

[adburne]

[-- Attachment #1.1: Type: Text/Plain, Size: 2201 bytes --]

Someone can make NAT with mysql? I've tried for a long time without make it
work.

My natural language is spanish, sorry by mistakes writing in english.

This is the situation:

I've have a linux box as gateway between my lan and internet routing paquets
without problems, I need access from internet another linux box running
apache and mysql on my private lan.
To do this work I try to use nat; with apache all works ok, but with mysql
can't connect. I'll be looking on different network devices using tcpdump to
find what's wrong.

This is what tcpdump show on device eth0 on my mysql server (inside the lan)
 there is a petition from 200.10.10.1 (internet client) to 192.168.0.80
(mysql lan server), this reply with ack, but internet client don't 
reply. Any clue? =)

200.10.10.1.56405 > 192.168.0.80.3306: S 2205542765:2205542765(0) win 5840
<mss
1412,sackOK,timestamp 620645629 0,nop,wscale 0> (DF)
192.168.0.80.3306 > 200.10.10.1.56405: S 2497023396:2497023396(0) ack
2205542766
 win 5792 <mss 1460,sackOK,timestamp 95764658 620645629,nop,wscale 0> (DF)
200.10.10.1.56405 > 192.168.0.80.3306: R 2205542766:2205542766(0) win 0 (DF)
200.10.10.1.56405 > 192.168.0.80.3306: S 2205542765:2205542765(0) win 5840
<mss
1412,sackOK,timestamp 620648701 0,nop,wscale 0> (DF)
192.168.0.80.3306 > 200.10.10.1.56405: S 2503023731:2503023731(0) ack
2205542766
 win 5792 <mss 1460,sackOK,timestamp 95765258 620648701,nop,wscale 0> (DF)
200.10.10.1.56405 > 192.168.0.80.3306: R 2205542766:2205542766(0) win 0 (DF)


The forward rules on the gateway are:

# "Accept forward all connections to port 3306 on ppp0"
iptables -A FORWARD -p tcp -i ppp0 --dport 3306 -o eth0 -j ACCEPT
# "All stablished connections are ok"
iptables -A FORWARD -i ppp0 -o eth0 -m state --state ESTABLISHED,RELATED -j
ACCEPT
# "All connection from inside to outside are accepted"
iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT
# "Rest go away"
iptables -A FORWARD -j REJECT

NAT rule:
iptables -t nat -A PREROUTING -p tcp -i ppp0 --dport 3306 -j DNAT --to 192
168.0.80 -s 200.10.10.1

If someone can make the light turn on, thanks!!!!

Alejandro

[-- Attachment #1.2: Type: Text/HTML, Size: 4274 bytes --]

<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="IncrediMail 1.0" name=GENERATOR>
<!--IncrdiXMLRemarkStart>
<IncrdiX-Info>
<X-FID>FLAVOR00-NONE-0000-0000-000000000000</X-FID>
<X-FVER>3.0</X-FVER>
<X-CNT>;</X-CNT>
</IncrdiX-Info>
<IncrdiXMLRemarkEnd-->
</HEAD>
<BODY style="BACKGROUND-POSITION: 0px 0px; FONT-SIZE: 12pt; MARGIN: 5px 10px 10px; FONT-FAMILY: Arial" bgColor=#ffffff background="" scroll=yes ORGYPOS="0" X-FVER="3.0">
<TABLE id=INCREDIMAINTABLE cellSpacing=0 cellPadding=2 width="100%" border=0>
<TBODY>
<TR>
<TD id=INCREDITEXTREGION style="FONT-SIZE: 12pt; CURSOR: auto; FONT-FAMILY: Arial" width="100%">
<DIV>Someone can make NAT with mysql? I've tried for a long time without make it work.</DIV>
<DIV>&nbsp;</DIV>
<DIV>My natural language is spanish, sorry by mistakes writing in english.</DIV>
<DIV>&nbsp;</DIV>
<DIV>This is the situation:</DIV>
<DIV>&nbsp;</DIV>
<DIV>I've have a linux box as gateway between my lan and internet routing paquets without problems, I need access from internet another linux box running apache and mysql on my private lan.</DIV>
<DIV>To do this work I try to use nat; with apache all works ok, but with mysql can't connect. I'll be looking on different network devices using tcpdump to find what's wrong.</DIV>
<DIV>&nbsp;</DIV>
<DIV>This is what tcpdump show on device eth0 on my mysql server (inside the lan), there is a petition from 200.10.10.1 (internet client) to 192.168.0.80 (mysql lan server), this&nbsp;reply with ack, but internet client don't </DIV>
<DIV>reply. Any clue? =)</DIV>
<DIV>&nbsp;</DIV>
<DIV>200.10.10.1.56405 &gt; 192.168.0.80.3306: S 2205542765:2205542765(0) win 5840 &lt;mss<BR>1412,sackOK,timestamp 620645629 0,nop,wscale 0&gt; (DF)<BR>192.168.0.80.3306 &gt; 200.10.10.1.56405: S 2497023396:2497023396(0) ack 2205542766<BR>&nbsp;win 5792 &lt;mss 1460,sackOK,timestamp 95764658 620645629,nop,wscale 0&gt; (DF)<BR>200.10.10.1.56405 &gt; 192.168.0.80.3306: R 2205542766:2205542766(0) win 0 (DF)<BR>200.10.10.1.56405 &gt; 192.168.0.80.3306: S 2205542765:2205542765(0) win 5840 &lt;mss<BR>1412,sackOK,timestamp 620648701 0,nop,wscale 0&gt; (DF)<BR>192.168.0.80.3306 &gt; 200.10.10.1.56405: S 2503023731:2503023731(0) ack 2205542766<BR>&nbsp;win 5792 &lt;mss 1460,sackOK,timestamp 95765258 620648701,nop,wscale 0&gt; (DF)<BR>200.10.10.1.56405 &gt; 192.168.0.80.3306: R 2205542766:2205542766(0) win 0 (DF)<BR></DIV>
<DIV>&nbsp;</DIV>
<DIV>The forward rules on the gateway are:</DIV>
<DIV>&nbsp;</DIV>
<DIV>
<DIV>#&nbsp;"Accept forward all connections to port 3306 on ppp0"<BR>iptables -A FORWARD -p tcp -i ppp0 --dport 3306 -o eth0 -j ACCEPT</DIV>
<DIV>#&nbsp;"All stablished connections are ok"<BR>iptables&nbsp;-A FORWARD -i&nbsp;ppp0 -o&nbsp;eth0 -m state --state ESTABLISHED,RELATED&nbsp;-j ACCEPT<BR>#&nbsp;"All connection from inside to outside are accepted"<BR>iptables&nbsp;-A FORWARD -i&nbsp;eth0 -o&nbsp;ppp0 -j ACCEPT</DIV>
<DIV>#&nbsp;"Rest go away"</DIV>
<DIV>iptables&nbsp;-A FORWARD -j REJECT</DIV>
<DIV>&nbsp;</DIV>
<DIV>NAT rule:</DIV>
<DIV>iptables -t nat -A PREROUTING -p tcp -i ppp0 --dport 3306 -j DNAT --to 192.168.0.80 -s 200.10.10.1</DIV>
<DIV>&nbsp;</DIV>
<DIV>If someone can make the light turn on, thanks!!!!</DIV>
<DIV>&nbsp;</DIV>
<DIV>Alejandro</DIV>
<DIV>&nbsp;</DIV></DIV></TD></TR>
<TR>
<TD id=INCREDIFOOTER width="100%">
<TABLE cellSpacing=0 cellPadding=0 width="100%">
<TBODY>
<TR>
<TD width="100%"></TD>
<TD id=INCREDISOUND vAlign=bottom align=middle></TD>
<TD id=INCREDIANIM vAlign=bottom align=middle></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE><SPAN id=IncrediStamp><SPAN dir=ltr><FONT face="Arial, Helvetica, sans-serif" size=2>_________________________________________________________________<BR><FONT face="Comic Sans MS" size=2><A href="http://www.incredimail.com/redir.asp?ad_id=310&amp;lang=10"><IMG alt="" hspace=0 src="cid:0E1EA367-1F3C-11D8-B817-00805F579555" align=baseline border=0></A>&nbsp; <I>IncrediMail</I> - <B>El E-mail ha evolucionado finalmente</B> - </FONT><A href="http://www.incredimail.com/redir.asp?ad_id=310&amp;lang=10"><FONT face="Times New Roman" size=3><B><U>Haga clic aquí</U></B></FONT></A></SPAN></SPAN></FONT></BODY></HTML>

[-- Attachment #2: IMSTP.gif --]
[-- Type: image/gif, Size: 494 bytes --]

Re: NAT & MySQL

[Jeffrey Laramie]

adburne wrote:

> The forward rules on the gateway are:
>  
> # "Accept forward all connections to port 3306 on ppp0"
> iptables -A FORWARD -p tcp -i ppp0 --dport 3306 -o eth0 -j ACCEPT
> # "All stablished connections are ok"
> iptables -A FORWARD -i ppp0 -o eth0 -m state --state 
> ESTABLISHED,RELATED -j ACCEPT
> # "All connection from inside to outside are accepted"
> iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT
> # "Rest go away"
> iptables -A FORWARD -j REJECT
>  
> NAT rule:
> iptables -t nat -A PREROUTING -p tcp -i ppp0 --dport 3306 -j DNAT --to 
> 192.168.0.80 -s 200.10.10.1
>

Are you using MASQUERADE or SNAT ? If you aren't then the outside can't 
'see' your internal server.

Jeff

RE: NAT & MySQL

[Mark E. Donaldson]

[-- Attachment #1.1: Type: text/plain, Size: 3018 bytes --]

The ACK packets you see in your dump are probably being dropped at the
firewall because a state table entry does not exist.  So you need to add a
NEW rule to do this:
 
iptables -A FORWARD -i ppp0 -o eth0 -m state --state NEW -j ACCEPT
 
this rule will then allow your ESTABLISHED,RELATED rule to work and permit
those ACK packets to pass.


  _____  

From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of adburne
Sent: Tuesday, November 25, 2003 4:18 AM
To: netfilter@lists.netfilter.org
Subject: NAT & MySQL



Someone can make NAT with mysql? I've tried for a long time without make it
work.
 
My natural language is spanish, sorry by mistakes writing in english.
 
This is the situation:
 
I've have a linux box as gateway between my lan and internet routing paquets
without problems, I need access from internet another linux box running
apache and mysql on my private lan.
To do this work I try to use nat; with apache all works ok, but with mysql
can't connect. I'll be looking on different network devices using tcpdump to
find what's wrong.
 
This is what tcpdump show on device eth0 on my mysql server (inside the
lan), there is a petition from 200.10.10.1 (internet client) to 192.168.0.80
(mysql lan server), this reply with ack, but internet client don't 
reply. Any clue? =)
 
200.10.10.1.56405 > 192.168.0.80.3306: S 2205542765:2205542765(0) win 5840
<mss
1412,sackOK,timestamp 620645629 0,nop,wscale 0> (DF)
192.168.0.80.3306 > 200.10.10.1.56405: S 2497023396:2497023396(0) ack
2205542766
 win 5792 <mss 1460,sackOK,timestamp 95764658 620645629,nop,wscale 0> (DF)
200.10.10.1.56405 > 192.168.0.80.3306: R 2205542766:2205542766(0) win 0 (DF)
200.10.10.1.56405 > 192.168.0.80.3306: S 2205542765:2205542765(0) win 5840
<mss
1412,sackOK,timestamp 620648701 0,nop,wscale 0> (DF)
192.168.0.80.3306 > 200.10.10.1.56405: S 2503023731:2503023731(0) ack
2205542766
 win 5792 <mss 1460,sackOK,timestamp 95765258 620648701,nop,wscale 0> (DF)
200.10.10.1.56405 > 192.168.0.80.3306: R 2205542766:2205542766(0) win 0 (DF)

 
The forward rules on the gateway are:
 
# "Accept forward all connections to port 3306 on ppp0"
iptables -A FORWARD -p tcp -i ppp0 --dport 3306 -o eth0 -j ACCEPT
# "All stablished connections are ok"
iptables -A FORWARD -i ppp0 -o eth0 -m state --state ESTABLISHED,RELATED -j
ACCEPT
# "All connection from inside to outside are accepted"
iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT
# "Rest go away"
iptables -A FORWARD -j REJECT
 
NAT rule:
iptables -t nat -A PREROUTING -p tcp -i ppp0 --dport 3306 -j DNAT --to
192.168.0.80 -s 200.10.10.1
 
If someone can make the light turn on, thanks!!!!
 
Alejandro
 

			
_________________________________________________________________
 <http://www.incredimail.com/redir.asp?ad_id=310&lang=10>   IncrediMail - El
E-mail ha evolucionado finalmente -
<http://www.incredimail.com/redir.asp?ad_id=310&lang=10> Haga clic aquí

[-- Attachment #1.2: Type: text/html, Size: 6130 bytes --]

[-- Attachment #2: IMSTP.gif --]
[-- Type: image/gif, Size: 494 bytes --]

Re: NAT & MySQL

[Jeffrey Laramie]

Mark E. Donaldson wrote:

> The ACK packets you see in your dump are probably being dropped at the 
> firewall because a state table entry does not exist.  So you need to 
> add a NEW rule to do this:
>  
> iptables -A FORWARD -i ppp0 -o eth0 -m state --state NEW -j ACCEPT
>  
> this rule will then allow your ESTABLISHED,RELATED rule to work and 
> permit those ACK packets to pass.
>
>

Hi Mark,

I'm not sure I understand what this rule does for him. Only the first 
packet from the web client would be NEW and based on his FORWARD rules 
that's been accepted and the dump shows it went through (although I'd 
still like to see his SNAT rule). Your rule would open his mysql server 
to any NEW packet. Are you saying that the RELATED ACK packets won't go 
through unless the first packet is matched with a NEW state and makes an 
entry in the state table?

Jeff

RE: NAT & MySQL

[Mark E. Donaldson]

Yeah you are correct Jeff.  Don't know what I was thinking. Maybe that's the
problem: I wasn't.

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Jeffrey Laramie
Sent: Tuesday, November 25, 2003 1:25 PM
To: netfilter@lists.netfilter.org
Subject: Re: NAT & MySQL

Mark E. Donaldson wrote:

> The ACK packets you see in your dump are probably being dropped at the 
> firewall because a state table entry does not exist.  So you need to 
> add a NEW rule to do this:
>  
> iptables -A FORWARD -i ppp0 -o eth0 -m state --state NEW -j ACCEPT
>  
> this rule will then allow your ESTABLISHED,RELATED rule to work and 
> permit those ACK packets to pass.
>
>

Hi Mark,

I'm not sure I understand what this rule does for him. Only the first packet
from the web client would be NEW and based on his FORWARD rules that's been
accepted and the dump shows it went through (although I'd still like to see
his SNAT rule). Your rule would open his mysql server to any NEW packet. Are
you saying that the RELATED ACK packets won't go through unless the first
packet is matched with a NEW state and makes an entry in the state table?

Jeff

Re: NAT & MySQL

[Jeffrey Laramie]

[-- Attachment #1: Type: text/html, Size: 1084 bytes --]

Re: NAT & MySQL

[adburne]

[-- Attachment #1.1: Type: Text/Plain, Size: 1411 bytes --]

 How ever, thanks; I'll be found the reason that didn't work DNAT.

Don't punch me =)

I set up, time ago, another gateway box on my mysql server (I've 2 links to
internet), it runs rh7.1 and network setup was setting using linuxconf. I
setup it correctly, but don't take changes.
It show incorrect information about gateway ip, when I saw this because I
think in it, all was ok (in theory).

Thanks, and sorry for waste your time (and my too) with this problem.

Alejandro.
 
-------Mensaje original-------
 
De: Jeffrey Laramie
Fecha: miércoles 26 de noviembre de 2003 00:51:40
A: netfilter@lists.netfilter.org
Asunto: Re: NAT & MySQL
 
Mark E. Donaldson wrote:

Yeah you are correct Jeff.  Don't know what I was thinking. Maybe that's the
problem: I wasn't.

  

No worries. This is a tough list to answer on (just ask Antony). One needs
to understand inet protocols, the inner workings of netfilter, network
design, and a whole bunch of unforgiving iptables rules. And that's before
you get to POM and the bleeding edge stuff! This is why I only answer the
easy questions ;-)

Anyway, the original post said that the web server worked fine yet there
aren't any rules that would allow that. If you're still following the thread
 can you post all your rules and maybe a schematic of your LAN so we can see
where the servers are?

Jeff

 

[-- Attachment #1.2: Type: Text/HTML, Size: 3690 bytes --]

<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="IncrediMail 1.0" name=GENERATOR>
<!--IncrdiXMLRemarkStart>
<IncrdiX-Info>
<X-FID>FLAVOR00-NONE-0000-0000-000000000000</X-FID>
<X-FVER></X-FVER>
<X-CNT>;</X-CNT>
</IncrdiX-Info>
<IncrdiXMLRemarkEnd-->
</HEAD>
<BODY style="BACKGROUND-POSITION: 0px 0px; FONT-SIZE: 12pt; MARGIN: 5px 10px 10px; FONT-FAMILY: Arial" bgColor=#ffffff background="" scroll=yes ORGYPOS="0" X-FVER="3.0">
<TABLE id=INCREDIMAINTABLE cellSpacing=0 cellPadding=2 width="100%" border=0>
<TBODY>
<TR>
<TD id=INCREDITEXTREGION style="FONT-SIZE: 12pt; CURSOR: auto; FONT-FAMILY: Arial" width="100%">
<DIV>&nbsp;How ever, thanks; I'll be found the reason that didn't work DNAT.</DIV>
<DIV>&nbsp;</DIV>
<DIV>Don't punch me =)</DIV>
<DIV>&nbsp;</DIV>
<DIV>I set up, time ago, another gateway box on my mysql server (I've 2 links to internet), it runs rh7.1 and network setup was setting using linuxconf. I setup it correctly, but don't take changes.</DIV>
<DIV>It&nbsp;show incorrect information about gateway ip, when I saw this because I think in it, all was ok (in theory).</DIV>
<DIV>&nbsp;</DIV>
<DIV>Thanks, and sorry for waste your time (and my too) with this problem.</DIV>
<DIV>&nbsp;</DIV>
<DIV>Alejandro.</DIV>
<DIV>&nbsp;</DIV>
<DIV id=IncrediOriginalMessage><I>-------Mensaje original-------</I></DIV>
<DIV>&nbsp;</DIV>
<DIV id=receivestrings>
<DIV dir=ltr style="FONT-SIZE: 11pt" <i><B>De:</B></I> <A href="mailto:JALaramie@Loudoun-Fairfax.com">Jeffrey Laramie</A></DIV>
<DIV dir=ltr style="FONT-SIZE: 11pt" <i><B>Fecha:</B></I> miércoles 26 de noviembre de 2003 00:51:40</DIV>
<DIV dir=ltr style="FONT-SIZE: 11pt" <i><B>A:</B></I> <A href="mailto:netfilter@lists.netfilter.org">netfilter@lists.netfilter.org</A></DIV>
<DIV dir=ltr style="FONT-SIZE: 11pt" <i><B>Asunto:</B></I> Re: NAT &amp; MySQL</DIV></DIV>
<DIV>&nbsp;</DIV>Mark E. Donaldson wrote:<BR>
<DIV cite="mid200311260256.hAQ2usiu004660@server5.bandwidthco.com" type="cite"><PRE wrap="">Yeah you are correct Jeff.  Don't know what I was thinking. Maybe that's the
problem: I wasn't.

  </PRE></DIV><BR>No worries. This is a tough list to answer on (just ask Antony). One needs to understand inet protocols, the inner workings of netfilter, network design, and a whole bunch of unforgiving iptables rules. And that's before you get to POM and the bleeding edge stuff! This is why I only answer the easy questions ;-)<BR><BR>Anyway, the original post said that the web server worked fine yet there aren't any rules that would allow that. If you're still following the thread, can you post all your rules and maybe a schematic of your LAN so we can see where the servers are?<BR><BR>Jeff<BR>
<DIV>&nbsp;</DIV></TD></TR>
<TR>
<TD id=INCREDIFOOTER width="100%">
<TABLE cellSpacing=0 cellPadding=0 width="100%">
<TBODY>
<TR>
<TD width="100%"></TD>
<TD id=INCREDISOUND vAlign=bottom align=middle></TD>
<TD id=INCREDIANIM vAlign=bottom align=middle></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE><SPAN id=IncrediStamp><SPAN dir=ltr><FONT face="Arial, Helvetica, sans-serif" size=2>_________________________________________________________________<BR><FONT face="Comic Sans MS" size=2><A href="http://www.incredimail.com/redir.asp?ad_id=310&amp;lang=10"><IMG alt="" hspace=0 src="cid:277FA103-20E7-11D8-B818-00805F579555" align=baseline border=0></A>&nbsp; <I>IncrediMail</I> - <B>El E-mail ha evolucionado finalmente</B> - </FONT><A href="http://www.incredimail.com/redir.asp?ad_id=310&amp;lang=10"><FONT face="Times New Roman" size=3><B><U>Haga clic aquí</U></B></FONT></A></SPAN></SPAN></FONT></BODY></HTML>

[-- Attachment #2: IMSTP.gif --]
[-- Type: image/gif, Size: 494 bytes --]

NAT & MySQL

[Alejandro D. Burne]

[-- Attachment #1.1: Type: Text/Plain, Size: 2088 bytes --]

This is the schema:

[internet]<-->[ppp0 (dynamic address) - Gateway - 192.168.1.122]<-->[192.168
1.252 - MySQL Server]

and this is the script:

#Setting the EXTERNAL and INTERNAL interfaces for the network
EXTIF="ppp0"
INTIF="eth0"

# Determine the external IP automatically:
EXTIP="`$IFCONFIG $EXTIF | $AWK \
 /$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"

# Assign the internal TCP/IP network and IP address
INTNET="192.168.1.0/24"
INTIP="192.168.1.122/32"

# Setting a few other local variables
UNIVERSE="0.0.0.0/0"

echo "  - Verifying that all kernel modules are ok"
[... to be more small I supress many lines here...]

echo "  Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "  Enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

echo "  Clearing any existing rules.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT 
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT 
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD 
$IPTABLES -F -t nat
# Flush the user chain.. if it exists
if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then
   $IPTABLES -F drop-and-log-it
fi
# Delete all User-specified chains
$IPTABLES -X
# Reset all IPTABLES counters
$IPTABLES -Z

echo "  Creating a DROP chain.."
$IPTABLES -N drop-and-log-it
$IPTABLES -A drop-and-log-it -j LOG --log-level info 
$IPTABLES -A drop-and-log-it -j REJECT

echo -e "   - Loading FORWARD rulesets"
$IPTABLES -A FORWARD -i $EXTIF -p tcp --dport 3306 -o $INTIF -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED
RELATED \
 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
# Catch all rule, all other forwarding is denied and logged. 
$IPTABLES -A FORWARD -j drop-and-log-it


echo "     - NAT: Enabling SNAT functionality on $EXTIF"
$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 3306 -j DNAT --to
192.168.1.252:3306
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP

Alejandro

[-- Attachment #1.2: Type: Text/HTML, Size: 4157 bytes --]

<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="IncrediMail 1.0" name=GENERATOR>
<!--IncrdiXMLRemarkStart>
<IncrdiX-Info>
<X-FID>FLAVOR00-NONE-0000-0000-000000000000</X-FID>
<X-FVER></X-FVER>
<X-CNT>;</X-CNT>
</IncrdiX-Info>
<IncrdiXMLRemarkEnd-->
</HEAD>
<BODY style="BACKGROUND-POSITION: 0px 0px; FONT-SIZE: 12pt; MARGIN: 5px 10px 10px; FONT-FAMILY: Arial" bgColor=#ffffff background="" scroll=yes ORGYPOS="0" X-FVER="3.0">
<TABLE id=INCREDIMAINTABLE cellSpacing=0 cellPadding=2 width="100%" border=0>
<TBODY>
<TR>
<TD id=INCREDITEXTREGION style="FONT-SIZE: 12pt; CURSOR: auto; FONT-FAMILY: Arial" width="100%">
<DIV>This is the schema:</DIV>
<DIV>&nbsp;</DIV>
<DIV>
<DIV>[internet]&lt;--&gt;[ppp0 (dynamic address)&nbsp;- Gateway - 192.168.1.122]&lt;--&gt;[192.168.1.252 - MySQL Server]</DIV></DIV>
<DIV>&nbsp;</DIV>
<DIV>and this is the script:</DIV>
<DIV>&nbsp;</DIV>
<DIV>#Setting the EXTERNAL and INTERNAL interfaces for the network<BR>EXTIF="ppp0"<BR>INTIF="eth0"</DIV>
<DIV>&nbsp;</DIV>
<DIV># Determine the external IP automatically:<BR>EXTIP="`$IFCONFIG $EXTIF | $AWK \<BR>&nbsp;/$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"</DIV>
<DIV>&nbsp;</DIV>
<DIV># Assign the internal TCP/IP network and IP address<BR>INTNET="192.168.1.0/24"<BR>INTIP="192.168.1.122/32"</DIV>
<DIV>&nbsp;</DIV>
<DIV># Setting a few other local variables<BR>UNIVERSE="0.0.0.0/0"</DIV>
<DIV>&nbsp;</DIV>
<DIV>echo "&nbsp; - Verifying that all kernel modules are ok"<BR>[... to be more small I supress many lines here...]</DIV>
<DIV>&nbsp;</DIV>
<DIV>echo "&nbsp; Enabling forwarding.."<BR>echo "1" &gt; /proc/sys/net/ipv4/ip_forward<BR>echo "&nbsp; Enabling DynamicAddr.."<BR>echo "1" &gt; /proc/sys/net/ipv4/ip_dynaddr</DIV>
<DIV>&nbsp;</DIV>
<DIV>echo "&nbsp; Clearing any existing rules.."<BR>$IPTABLES -P INPUT ACCEPT<BR>$IPTABLES -F INPUT <BR>$IPTABLES -P OUTPUT ACCEPT<BR>$IPTABLES -F OUTPUT <BR>$IPTABLES -P FORWARD DROP<BR>$IPTABLES -F FORWARD <BR>$IPTABLES -F -t nat<BR># Flush the user chain.. if it exists<BR>if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then<BR>&nbsp;&nbsp; $IPTABLES -F drop-and-log-it<BR>fi<BR># Delete all User-specified chains<BR>$IPTABLES -X<BR># Reset all IPTABLES counters<BR>$IPTABLES -Z</DIV>
<DIV>&nbsp;</DIV>
<DIV>echo "&nbsp; Creating a DROP chain.."<BR>$IPTABLES -N drop-and-log-it<BR>$IPTABLES -A drop-and-log-it -j LOG --log-level info <BR>$IPTABLES -A drop-and-log-it -j REJECT</DIV>
<DIV>&nbsp;</DIV>
<DIV>echo -e "&nbsp;&nbsp; - Loading FORWARD rulesets"<BR>$IPTABLES -A FORWARD -i $EXTIF -p tcp --dport 3306 -o $INTIF -j ACCEPT<BR>$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED \<BR>&nbsp;-j ACCEPT<BR>$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT<BR># Catch all rule, all other forwarding is denied and logged. <BR>$IPTABLES -A FORWARD -j drop-and-log-it</DIV>
<DIV>&nbsp;</DIV>
<DIV><BR>echo "&nbsp;&nbsp;&nbsp;&nbsp; - NAT: Enabling SNAT functionality on $EXTIF"<BR>$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 3306 -j DNAT --to 192.168.1.252:3306<BR>$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP<BR></DIV>
<DIV>Alejandro</DIV></TD></TR>
<TR>
<TD id=INCREDIFOOTER width="100%">
<TABLE cellSpacing=0 cellPadding=0 width="100%">
<TBODY>
<TR>
<TD width="100%"></TD>
<TD id=INCREDISOUND vAlign=bottom align=middle></TD>
<TD id=INCREDIANIM vAlign=bottom align=middle></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE><SPAN id=IncrediStamp><SPAN dir=ltr><FONT face="Arial, Helvetica, sans-serif" size=2>_________________________________________________________________<BR><FONT face="Comic Sans MS" size=2><A href="http://www.incredimail.com/redir.asp?ad_id=310&amp;lang=10"><IMG alt="" hspace=0 src="cid:68A9AED4-20D0-11D8-B818-00805F579555" align=baseline border=0></A>&nbsp; <I>IncrediMail</I> - <B>El E-mail ha evolucionado finalmente</B> - </FONT><A href="http://www.incredimail.com/redir.asp?ad_id=310&amp;lang=10"><FONT face="Times New Roman" size=3><B><U>Haga clic aquí</U></B></FONT></A></SPAN></SPAN></FONT></BODY></HTML>

[-- Attachment #2: IMSTP.gif --]
[-- Type: image/gif, Size: 494 bytes --]