Re: Using source nat to discriminate traffic

[carlopmart <carlopmart@gmail.com>]

On 04/26/2011 11:15 AM, Jan Engelhardt wrote:
> On Tuesday 2011-04-26 11:07, carlopmart wrote:
>
>> Hi all,
>>
>> I have a problem using source nat rules to discriminate traffic on one host.
>> This host has several ip aliases assigned to provide several services. Problem
>> starts with mysql client. This host needs to access to another host that acts
>> as MySQL server. This MySQL server has some acls configured to access
>> databases, in this manner:
>>
>> - BBDD_1 can only be accessed by ip address 172.21.2.2.
>> - BBDD_2 can only be accessed by ip address 172.21.2.3
>>
>> Both ip address, 172.21.2.2 and 172.21.2.3, are assigned to the first host
>> that acts as a mysql client. Latest release of mysql client contains an option
>> to pass --bind-ip-address, but my mysql client version not (and I can't do an
>> upgrade due to a tecnical specifications).
>>
>> Then, I need to discrimanate traffic on mysql host client when it tries to
>> access to mysql server. I have found a partial solution putting this iptables
>> rule:
>>
>> iptables -t nat -A POSTROUTING -o eth1 -d 172.17.3.3 -p tcp --dport 3306 -j
>> SNAT --to-source 172.21.2.2
>>
>> This rule works ok when mysql client tries to access to BBDD_1
>
> Assuming BBDD_1 is 172.17.3.2, this rule won't be considered at all. Of
> course stuff works because some address is the client's default.

MySQL host ip address is 172.17.3.3, always, to all BBDD.

-- 
CL Martinez
carlopmart {at} gmail {d0t} com