Using source nat to discriminate traffic

Using source nat to discriminate traffic

[carlopmart]

Hi all,

  I have a problem using source nat rules to discriminate traffic on one 
host. This host has several ip aliases assigned to provide several 
services. Problem starts with mysql client. This host needs to access to 
another host that acts as MySQL server. This MySQL server has some acls 
configured to access databases, in this manner:

  - BBDD_1 can only be accessed by ip address 172.21.2.2.
  - BBDD_2 can only be accessed by ip address 172.21.2.3

  Both ip address, 172.21.2.2 and 172.21.2.3, are assigned to the first 
host that acts as a mysql client. Latest release of mysql client 
contains an option to pass --bind-ip-address, but my mysql client 
version not (and I can't do an upgrade due to a tecnical specifications).

  Then, I need to discrimanate traffic on mysql host client when it 
tries to access to mysql server. I have found a partial solution putting 
this iptables rule:

  iptables -t nat -A POSTROUTING -o eth1 -d 172.17.3.3 -p tcp --dport 
3306 -j SNAT --to-source 172.21.2.2

  This rule works ok when mysql client tries to access to BBDD_1, but 
not when it tries to access to BBDD_2 because connects with 172.21.2.2 
ip address and mysql host denies traffic.

  Another point: mysql client host principal ip address is 172.21.2.1, 
and I can't change it.

  How can I resolve this?? Is it possible??

-- 
CL Martinez
carlopmart {at} gmail {d0t} com

Re: Using source nat to discriminate traffic

[Jan Engelhardt]

On Tuesday 2011-04-26 11:07, carlopmart wrote:

> Hi all,
>
> I have a problem using source nat rules to discriminate traffic on one host.
> This host has several ip aliases assigned to provide several services. Problem
> starts with mysql client. This host needs to access to another host that acts
> as MySQL server. This MySQL server has some acls configured to access
> databases, in this manner:
>
> - BBDD_1 can only be accessed by ip address 172.21.2.2.
> - BBDD_2 can only be accessed by ip address 172.21.2.3
>
> Both ip address, 172.21.2.2 and 172.21.2.3, are assigned to the first host
> that acts as a mysql client. Latest release of mysql client contains an option
> to pass --bind-ip-address, but my mysql client version not (and I can't do an
> upgrade due to a tecnical specifications).
>
> Then, I need to discrimanate traffic on mysql host client when it tries to
> access to mysql server. I have found a partial solution putting this iptables
> rule:
>
> iptables -t nat -A POSTROUTING -o eth1 -d 172.17.3.3 -p tcp --dport 3306 -j
> SNAT --to-source 172.21.2.2
>
> This rule works ok when mysql client tries to access to BBDD_1

Assuming BBDD_1 is 172.17.3.2, this rule won't be considered at all. Of 
course stuff works because some address is the client's default.

Re: Using source nat to discriminate traffic

[carlopmart]

On 04/26/2011 11:15 AM, Jan Engelhardt wrote:
> On Tuesday 2011-04-26 11:07, carlopmart wrote:
>
>> Hi all,
>>
>> I have a problem using source nat rules to discriminate traffic on one host.
>> This host has several ip aliases assigned to provide several services. Problem
>> starts with mysql client. This host needs to access to another host that acts
>> as MySQL server. This MySQL server has some acls configured to access
>> databases, in this manner:
>>
>> - BBDD_1 can only be accessed by ip address 172.21.2.2.
>> - BBDD_2 can only be accessed by ip address 172.21.2.3
>>
>> Both ip address, 172.21.2.2 and 172.21.2.3, are assigned to the first host
>> that acts as a mysql client. Latest release of mysql client contains an option
>> to pass --bind-ip-address, but my mysql client version not (and I can't do an
>> upgrade due to a tecnical specifications).
>>
>> Then, I need to discrimanate traffic on mysql host client when it tries to
>> access to mysql server. I have found a partial solution putting this iptables
>> rule:
>>
>> iptables -t nat -A POSTROUTING -o eth1 -d 172.17.3.3 -p tcp --dport 3306 -j
>> SNAT --to-source 172.21.2.2
>>
>> This rule works ok when mysql client tries to access to BBDD_1
>
> Assuming BBDD_1 is 172.17.3.2, this rule won't be considered at all. Of
> course stuff works because some address is the client's default.

MySQL host ip address is 172.17.3.3, always, to all BBDD.

-- 
CL Martinez
carlopmart {at} gmail {d0t} com

Re: Using source nat to discriminate traffic

[Vigneswaran R]

On 04/26/2011 02:37 PM, carlopmart wrote:
> - BBDD_1 can only be accessed by ip address 172.21.2.2.
> - BBDD_2 can only be accessed by ip address 172.21.2.3
>
> Both ip address, 172.21.2.2 and 172.21.2.3, are assigned to the first
> host that acts as a mysql client. Latest release of mysql client

IMHO, if both the IPs are bound to the same host in a permanent basis, 
it would be better (request the admin) to change the ACLs so that both 
the databases (BBDD_1 and BBDD_2) are allowed from the same IP (either 
172.21.2.2 or 172.21.2.3). Then as you know, your iptables rule will 
work for both databases.


Regards,
Vignesh

Re: Using source nat to discriminate traffic

[carlopmart]

On 04/26/2011 02:02 PM, Vigneswaran R wrote:
> On 04/26/2011 02:37 PM, carlopmart wrote:
>> - BBDD_1 can only be accessed by ip address 172.21.2.2.
>> - BBDD_2 can only be accessed by ip address 172.21.2.3
>>
>> Both ip address, 172.21.2.2 and 172.21.2.3, are assigned to the first
>> host that acts as a mysql client. Latest release of mysql client
>
> IMHO, if both the IPs are bound to the same host in a permanent basis,
> it would be better (request the admin) to change the ACLs so that both
> the databases (BBDD_1 and BBDD_2) are allowed from the same IP (either
> 172.21.2.2 or 172.21.2.3). Then as you know, your iptables rule will
> work for both databases.
>
>
> Regards,
> Vignesh
> --

Thanks Vignesh. Yes, your solution is perfectly and correct. But exists 
a problem: this hosts is included on a cluster (RHCS) with three nodes 
(in three weeks, will be six nodes). Service can run on a hostA, hostB 
or hostC ...


-- 
CL Martinez
carlopmart {at} gmail {d0t} com

Re: Using source nat to discriminate traffic

[Vigneswaran R]

On 04/26/2011 06:12 PM, carlopmart wrote:
> Thanks Vignesh. Yes, your solution is perfectly and correct. But exists
> a problem: this hosts is included on a cluster (RHCS) with three nodes
> (in three weeks, will be six nodes). Service can run on a hostA, hostB
> or hostC ...

Ok. In that case I don't have any solutions using iptables. I can 
suggest the following two alternatives for your consideration.

1. Is there any application level change that you can make? You told 
already that you won't be able to upgrade mysql client for technical 
reasons. However, if the actual problem exists between the [web] 
services which require DB access and the MySQL server, you can look for 
options which allow us to specify the source IP while making the socket 
connection with MySQL server.

eg., if your website is using PHP to make connections to MySQL server, 
then the following code may help,

On website1,

$sock = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
socket_bind($sock, '172.21.2.2');
socket_connect($sock, '172.17.3.3', 3306);
//code to access the BBDD_1

On website2,

$sock = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
socket_bind($sock, '172.21.2.3');
socket_connect($sock, '172.17.3.3', 3306);
//code to access the BBDD_2

The above code snippet is only to give some idea and is neither complete 
nor tested. Similar code must be available for other web technologies too.

ref:
[1] 
<http://stackoverflow.com/questions/4765269/specify-source-ip-using-fsockopen>
[2] Example #1 in <http://in2.php.net/manual/en/function.socket-bind.php>

2. Another option would be using Virtual Machines (VMs). Run the 
services inside different VMs and migrate the VMs instead of services 
across hosts.

ref: 
<http://phparmor.com/php-source-code/how-can-i-bind-to-specific-ip-address-for-outbound-phpmysql-connection-linux/>

Note: Since my suggestions are not related to iptables, our discussion 
seems to be off topic for this list. If you have any other queries, 
please reply to me.

Regards,
Vignesh