From: carlopmart <carlopmart@gmail.com>
To: netfilter@vger.kernel.org
Subject: Using source nat to discriminate traffic
Date: Tue, 26 Apr 2011 11:07:12 +0200 [thread overview]
Message-ID: <4DB68B40.2030806@gmail.com> (raw)
Hi all,
I have a problem using source nat rules to discriminate traffic on one
host. This host has several ip aliases assigned to provide several
services. Problem starts with mysql client. This host needs to access to
another host that acts as MySQL server. This MySQL server has some acls
configured to access databases, in this manner:
- BBDD_1 can only be accessed by ip address 172.21.2.2.
- BBDD_2 can only be accessed by ip address 172.21.2.3
Both ip address, 172.21.2.2 and 172.21.2.3, are assigned to the first
host that acts as a mysql client. Latest release of mysql client
contains an option to pass --bind-ip-address, but my mysql client
version not (and I can't do an upgrade due to a tecnical specifications).
Then, I need to discrimanate traffic on mysql host client when it
tries to access to mysql server. I have found a partial solution putting
this iptables rule:
iptables -t nat -A POSTROUTING -o eth1 -d 172.17.3.3 -p tcp --dport
3306 -j SNAT --to-source 172.21.2.2
This rule works ok when mysql client tries to access to BBDD_1, but
not when it tries to access to BBDD_2 because connects with 172.21.2.2
ip address and mysql host denies traffic.
Another point: mysql client host principal ip address is 172.21.2.1,
and I can't change it.
How can I resolve this?? Is it possible??
--
CL Martinez
carlopmart {at} gmail {d0t} com
next reply other threads:[~2011-04-26 9:07 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-04-26 9:07 carlopmart [this message]
2011-04-26 9:15 ` Using source nat to discriminate traffic Jan Engelhardt
2011-04-26 9:45 ` carlopmart
2011-04-26 12:02 ` Vigneswaran R
2011-04-26 12:42 ` carlopmart
2011-04-27 5:37 ` Vigneswaran R
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4DB68B40.2030806@gmail.com \
--to=carlopmart@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).