* port forwarding through localhost @ 2007-01-26 21:56 Andy B. 2007-01-26 22:18 ` Pascal Hambourg 0 siblings, 1 reply; 8+ messages in thread From: Andy B. @ 2007-01-26 21:56 UTC (permalink / raw) To: netfilter I have a port forwarding issue with localhost. Here is the deal: Webserver that uses many many mySQL connections to 127.0.0.1 (Port 3306). Now I would like to put the mySQL server onto a dedicated machine without changing the "127.0.0.1" setting on a few hundred websites. The new mySQL Server listens on 10.0.0.100:3306 My first guess was the following ruleset on the webserver: iptables -t nat -A PREROUTING -p tcp -i lo --dport 3306 -j DNAT --to 10.0.0.100 Then I tried to telnet 127.0.0.1 3306, which failed immediately I figured out the prerouting is no good for localhost and changed it into: iptables -t nat -A OUTPUT -o lo -p tcp --dport 3306 -j DNAT --to 10.0.0.100:3306 telnet 127.0.0.1 3306 seems to do something, but not what I expected: $ telnet 127.0.0.1 3333 Trying 127.0.0.1... <sleeping...... sleeping......> Timeout eventually. A few more informations on the webserver: - eth0 = public IP (not needed here) - eth1 = 10.0.0.99 - lo = 127.0.0.1 Dedicated MySQL Server: - eth0 = public IP (not needed here) - eth1 = 10.0.0.100 - lo = 127.0.0.1 What am I missing or doing wrong? Thanks a lot, Andy ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: port forwarding through localhost 2007-01-26 21:56 port forwarding through localhost Andy B. @ 2007-01-26 22:18 ` Pascal Hambourg 2007-01-26 22:29 ` Andy B. 0 siblings, 1 reply; 8+ messages in thread From: Pascal Hambourg @ 2007-01-26 22:18 UTC (permalink / raw) To: netfilter Hello, Andy B. a écrit : > > Webserver that uses many many mySQL connections to 127.0.0.1 (Port 3306). > > Now I would like to put the mySQL server onto a dedicated machine without > changing the "127.0.0.1" setting on a few hundred websites. > > The new mySQL Server listens on 10.0.0.100:3306 > > My first guess was the following ruleset on the webserver: > > iptables -t nat -A PREROUTING -p tcp -i lo --dport 3306 -j DNAT --to > 10.0.0.100 > > Then I tried to telnet 127.0.0.1 3306, which failed immediately Of course. Locally generated packets don't go into the PREROUTING chain. > I figured out the prerouting is no good for localhost and changed it into: > > iptables -t nat -A OUTPUT -o lo -p tcp --dport 3306 -j DNAT --to > 10.0.0.100:3306 > > telnet 127.0.0.1 3306 seems to do something, but not what I expected: > > $ telnet 127.0.0.1 3333 Why 3333 ? > Trying 127.0.0.1... > > <sleeping...... sleeping......> > > Timeout eventually. Does connecting directly to the SQL server work (no filtering rule that may block the connection) ? What is the kernel version ? Since 2.6.11, DNAT in the OUTPUT chain does not mangle the source address any more. But 127.0.0.1 is an invalid address for external communication and is rejected by the re-routing decision. ^ permalink raw reply [flat|nested] 8+ messages in thread
* RE: port forwarding through localhost 2007-01-26 22:18 ` Pascal Hambourg @ 2007-01-26 22:29 ` Andy B. 2007-01-26 22:50 ` Pascal Hambourg 0 siblings, 1 reply; 8+ messages in thread From: Andy B. @ 2007-01-26 22:29 UTC (permalink / raw) To: netfilter Sorry about the "3333", it was a typo. Of course I meant 3306. My rules are working when we are talking about the external interfaces (eth0), and the SQL Server is responding when talking directly to 10.0.0.100 My complete ruleset looks like this: echo 1 > /proc/sys/net/ipv4/ip_forward iptables -F iptables -X iptables -Z iptables --table nat --flush iptables --delete-chain iptables --table nat --delete-chain iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 3306 -j DNAT --to 10.0.0.100 iptables -t nat -A OUTPUT -o lo -p tcp --dport 3306 -j DNAT --to 10.0.0.100:3306 The last rule is causing trouble, and it is the most important one, in order to not bother my customers to change their settings :-/ Andy -----Original Message----- From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Pascal Hambourg Sent: Friday, January 26, 2007 23:19 To: netfilter@lists.netfilter.org Subject: Re: port forwarding through localhost Hello, Andy B. a écrit : > > Webserver that uses many many mySQL connections to 127.0.0.1 (Port 3306). > > Now I would like to put the mySQL server onto a dedicated machine without > changing the "127.0.0.1" setting on a few hundred websites. > > The new mySQL Server listens on 10.0.0.100:3306 > > My first guess was the following ruleset on the webserver: > > iptables -t nat -A PREROUTING -p tcp -i lo --dport 3306 -j DNAT --to > 10.0.0.100 > > Then I tried to telnet 127.0.0.1 3306, which failed immediately Of course. Locally generated packets don't go into the PREROUTING chain. > I figured out the prerouting is no good for localhost and changed it into: > > iptables -t nat -A OUTPUT -o lo -p tcp --dport 3306 -j DNAT --to > 10.0.0.100:3306 > > telnet 127.0.0.1 3306 seems to do something, but not what I expected: > > $ telnet 127.0.0.1 3333 Why 3333 ? > Trying 127.0.0.1... > > <sleeping...... sleeping......> > > Timeout eventually. Does connecting directly to the SQL server work (no filtering rule that may block the connection) ? What is the kernel version ? Since 2.6.11, DNAT in the OUTPUT chain does not mangle the source address any more. But 127.0.0.1 is an invalid address for external communication and is rejected by the re-routing decision. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: port forwarding through localhost 2007-01-26 22:29 ` Andy B. @ 2007-01-26 22:50 ` Pascal Hambourg 2007-01-26 22:55 ` Andy B. 0 siblings, 1 reply; 8+ messages in thread From: Pascal Hambourg @ 2007-01-26 22:50 UTC (permalink / raw) To: netfilter Andy B. a écrit : > Sorry about the "3333", it was a typo. Of course I meant 3306. > > My rules are working when we are talking about the external interfaces > (eth0), and the SQL Server is responding when talking directly to 10.0.0.100 You didn't say what is the kernel version. If it is >= 2.6.11, you're stuck. As I suggested to someone else having the same problem as you, instead of using a DNAT rule you may use a TCP "proxy" such as stone (<http://www.gcd.org/sengoku/stone/>, supports UDP too) or 6tunnel (<http://toxygen.net/6tunnel/>, originally designed to relay connections between IPv6 and IPv4 hosts but works between IPv4 hosts too) which listens on the local port 3306 and relays the local connexions to the remote SQL server. ^ permalink raw reply [flat|nested] 8+ messages in thread
* RE: port forwarding through localhost 2007-01-26 22:50 ` Pascal Hambourg @ 2007-01-26 22:55 ` Andy B. 2007-01-26 23:09 ` Jan Engelhardt 2007-01-30 19:54 ` Michael P. Brininstool 0 siblings, 2 replies; 8+ messages in thread From: Andy B. @ 2007-01-26 22:55 UTC (permalink / raw) To: netfilter I am using 2.6.19.2. An intermediate tcp proxy method doesn't sound so nice, since iptables is way more flexible to me :-/ Andy -----Original Message----- From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Pascal Hambourg Sent: Friday, January 26, 2007 23:50 To: netfilter@lists.netfilter.org Subject: Re: port forwarding through localhost Andy B. a écrit : > Sorry about the "3333", it was a typo. Of course I meant 3306. > > My rules are working when we are talking about the external interfaces > (eth0), and the SQL Server is responding when talking directly to 10.0.0.100 You didn't say what is the kernel version. If it is >= 2.6.11, you're stuck. As I suggested to someone else having the same problem as you, instead of using a DNAT rule you may use a TCP "proxy" such as stone (<http://www.gcd.org/sengoku/stone/>, supports UDP too) or 6tunnel (<http://toxygen.net/6tunnel/>, originally designed to relay connections between IPv6 and IPv4 hosts but works between IPv4 hosts too) which listens on the local port 3306 and relays the local connexions to the remote SQL server. ^ permalink raw reply [flat|nested] 8+ messages in thread
* RE: port forwarding through localhost 2007-01-26 22:55 ` Andy B. @ 2007-01-26 23:09 ` Jan Engelhardt 2007-01-30 19:54 ` Michael P. Brininstool 1 sibling, 0 replies; 8+ messages in thread From: Jan Engelhardt @ 2007-01-26 23:09 UTC (permalink / raw) To: Andy B.; +Cc: netfilter >I am using 2.6.19.2. > >An intermediate tcp proxy method doesn't sound so nice, since iptables is >way more flexible to me :-/ In fact, using such a proxy doubles the amount of packets transferred. What you should have better done: use DNS instead of fixed IP addresses. That way you could have had mysql IN A 127.0.0.1 before, and now change it noproblem to mysql IN A 192.168.123.45 But you have not, so better deal with it ;-) -`J' -- ^ permalink raw reply [flat|nested] 8+ messages in thread
* RE: port forwarding through localhost 2007-01-26 22:55 ` Andy B. 2007-01-26 23:09 ` Jan Engelhardt @ 2007-01-30 19:54 ` Michael P. Brininstool 2007-01-31 9:09 ` Andy B. 1 sibling, 1 reply; 8+ messages in thread From: Michael P. Brininstool @ 2007-01-30 19:54 UTC (permalink / raw) To: 'Andy B.', netfilter I know this is a little late, but when doing services like this, it has proved helpful in the past to have the customers use a FQDN (full-qualified-domain-name) instead of an IP. For example, I setup the following: imap.domain.com, smtp.domain.com, www.domain.com, mail.domain.com, mysql.domain.com, proxy.domain.com, ftp.domain.com, etc, even if they are all on the same machine. That way, as services need to be split off onto their own machine, a simple DNS change moves the load. In the manner of helping in your current situation, isn't there a -j REDIRECT table? -- Michael P. Brininstool -----Original Message----- From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Andy B. Sent: Friday, January 26, 2007 3:55 PM To: netfilter@lists.netfilter.org Subject: RE: port forwarding through localhost I am using 2.6.19.2. An intermediate tcp proxy method doesn't sound so nice, since iptables is way more flexible to me :-/ Andy -----Original Message----- From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Pascal Hambourg Sent: Friday, January 26, 2007 23:50 To: netfilter@lists.netfilter.org Subject: Re: port forwarding through localhost Andy B. a écrit : > Sorry about the "3333", it was a typo. Of course I meant 3306. > > My rules are working when we are talking about the external interfaces > (eth0), and the SQL Server is responding when talking directly to 10.0.0.100 You didn't say what is the kernel version. If it is >= 2.6.11, you're stuck. As I suggested to someone else having the same problem as you, instead of using a DNAT rule you may use a TCP "proxy" such as stone (<http://www.gcd.org/sengoku/stone/>, supports UDP too) or 6tunnel (<http://toxygen.net/6tunnel/>, originally designed to relay connections between IPv6 and IPv4 hosts but works between IPv4 hosts too) which listens on the local port 3306 and relays the local connexions to the remote SQL server. ^ permalink raw reply [flat|nested] 8+ messages in thread
* RE: port forwarding through localhost 2007-01-30 19:54 ` Michael P. Brininstool @ 2007-01-31 9:09 ` Andy B. 0 siblings, 0 replies; 8+ messages in thread From: Andy B. @ 2007-01-31 9:09 UTC (permalink / raw) To: netfilter Yes, I know that I should have used some FQDN instead of localhost, but the cirumstances that once were have changed a lot - I will do better next time :-) -j REDIRECT is imho just for redirecting towards the same host (localhost to localhost), so of no use. As a quick fix, I am now using rinetd which does the trick, but the overhead is driving the server load up :-/ Andy -----Original Message----- From: Michael P. Brininstool [mailto:mikepb@hoplite.org] Sent: Tuesday, January 30, 2007 20:54 To: 'Andy B.'; netfilter@lists.netfilter.org Subject: RE: port forwarding through localhost I know this is a little late, but when doing services like this, it has proved helpful in the past to have the customers use a FQDN (full-qualified-domain-name) instead of an IP. For example, I setup the following: imap.domain.com, smtp.domain.com, www.domain.com, mail.domain.com, mysql.domain.com, proxy.domain.com, ftp.domain.com, etc, even if they are all on the same machine. That way, as services need to be split off onto their own machine, a simple DNS change moves the load. In the manner of helping in your current situation, isn't there a -j REDIRECT table? -- Michael P. Brininstool ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2007-01-31 9:09 UTC | newest] Thread overview: 8+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2007-01-26 21:56 port forwarding through localhost Andy B. 2007-01-26 22:18 ` Pascal Hambourg 2007-01-26 22:29 ` Andy B. 2007-01-26 22:50 ` Pascal Hambourg 2007-01-26 22:55 ` Andy B. 2007-01-26 23:09 ` Jan Engelhardt 2007-01-30 19:54 ` Michael P. Brininstool 2007-01-31 9:09 ` Andy B.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.