port forwarding through localhost

port forwarding through localhost

[Andy B.]

I have a port forwarding issue with localhost.

Here is the deal:

Webserver that uses many many mySQL connections to 127.0.0.1 (Port 3306).

Now I would like to put the mySQL server onto a dedicated machine without
changing the "127.0.0.1" setting on a few hundred websites.

The new mySQL Server listens on 10.0.0.100:3306

My first guess was the following ruleset on the webserver:

iptables -t nat -A PREROUTING -p tcp -i lo --dport 3306 -j DNAT --to
10.0.0.100

Then I tried to telnet 127.0.0.1 3306, which failed immediately


I figured out the prerouting is no good for localhost and changed it into:

iptables -t nat -A OUTPUT -o lo -p tcp --dport 3306 -j DNAT --to
10.0.0.100:3306

telnet 127.0.0.1 3306 seems to do something, but not what I expected:

$ telnet 127.0.0.1 3333
Trying 127.0.0.1...

<sleeping...... sleeping......>

Timeout eventually.


A few more informations on the webserver:

- eth0 = public IP (not needed here)
- eth1 = 10.0.0.99
- lo = 127.0.0.1

Dedicated MySQL Server:

- eth0 = public IP (not needed here)
- eth1 = 10.0.0.100
- lo = 127.0.0.1


What am I missing or doing wrong?

Thanks a lot,

Andy

Re: port forwarding through localhost

[Pascal Hambourg]

Hello,

Andy B. a écrit :
> 
> Webserver that uses many many mySQL connections to 127.0.0.1 (Port 3306).
> 
> Now I would like to put the mySQL server onto a dedicated machine without
> changing the "127.0.0.1" setting on a few hundred websites.
> 
> The new mySQL Server listens on 10.0.0.100:3306
> 
> My first guess was the following ruleset on the webserver:
> 
> iptables -t nat -A PREROUTING -p tcp -i lo --dport 3306 -j DNAT --to
> 10.0.0.100
> 
> Then I tried to telnet 127.0.0.1 3306, which failed immediately

Of course. Locally generated packets don't go into the PREROUTING chain.

> I figured out the prerouting is no good for localhost and changed it into:
> 
> iptables -t nat -A OUTPUT -o lo -p tcp --dport 3306 -j DNAT --to
> 10.0.0.100:3306
> 
> telnet 127.0.0.1 3306 seems to do something, but not what I expected:
> 
> $ telnet 127.0.0.1 3333

Why 3333 ?

> Trying 127.0.0.1...
> 
> <sleeping...... sleeping......>
> 
> Timeout eventually.

Does connecting directly to the SQL server work (no filtering rule that 
may block the connection) ?
What is the kernel version ? Since 2.6.11, DNAT in the OUTPUT chain does 
not mangle the source address any more. But 127.0.0.1 is an invalid 
address for external communication and is rejected by the re-routing 
decision.

RE: port forwarding through localhost

[Andy B.]

Sorry about the "3333", it was a typo. Of course I meant 3306.

My rules are working when we are talking about the external interfaces
(eth0), and the SQL Server is responding when talking directly to 10.0.0.100

My complete ruleset looks like this:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -F      
iptables -X
iptables -Z
iptables --table nat --flush
iptables --delete-chain 
iptables --table nat --delete-chain

iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 3306 -j DNAT --to
10.0.0.100
iptables -t nat -A OUTPUT -o lo -p tcp --dport 3306 -j DNAT --to
10.0.0.100:3306

The last rule is causing trouble, and it is the most important one, in order
to not bother my customers to change their settings :-/

Andy

-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Pascal Hambourg
Sent: Friday, January 26, 2007 23:19
To: netfilter@lists.netfilter.org
Subject: Re: port forwarding through localhost

Hello,

Andy B. a écrit :
> 
> Webserver that uses many many mySQL connections to 127.0.0.1 (Port 3306).
> 
> Now I would like to put the mySQL server onto a dedicated machine without
> changing the "127.0.0.1" setting on a few hundred websites.
> 
> The new mySQL Server listens on 10.0.0.100:3306
> 
> My first guess was the following ruleset on the webserver:
> 
> iptables -t nat -A PREROUTING -p tcp -i lo --dport 3306 -j DNAT --to
> 10.0.0.100
> 
> Then I tried to telnet 127.0.0.1 3306, which failed immediately

Of course. Locally generated packets don't go into the PREROUTING chain.

> I figured out the prerouting is no good for localhost and changed it into:
> 
> iptables -t nat -A OUTPUT -o lo -p tcp --dport 3306 -j DNAT --to
> 10.0.0.100:3306
> 
> telnet 127.0.0.1 3306 seems to do something, but not what I expected:
> 
> $ telnet 127.0.0.1 3333

Why 3333 ?

> Trying 127.0.0.1...
> 
> <sleeping...... sleeping......>
> 
> Timeout eventually.

Does connecting directly to the SQL server work (no filtering rule that 
may block the connection) ?
What is the kernel version ? Since 2.6.11, DNAT in the OUTPUT chain does 
not mangle the source address any more. But 127.0.0.1 is an invalid 
address for external communication and is rejected by the re-routing 
decision.

Re: port forwarding through localhost

[Pascal Hambourg]

Andy B. a écrit :
> Sorry about the "3333", it was a typo. Of course I meant 3306.
> 
> My rules are working when we are talking about the external interfaces
> (eth0), and the SQL Server is responding when talking directly to 10.0.0.100

You didn't say what is the kernel version. If it is >= 2.6.11, you're stuck.

As I suggested to someone else having the same problem as you, instead 
of using a DNAT rule you may use a TCP "proxy" such as stone 
(<http://www.gcd.org/sengoku/stone/>, supports UDP too) or 6tunnel 
(<http://toxygen.net/6tunnel/>, originally designed to relay connections 
between IPv6 and IPv4 hosts but works between IPv4 hosts too) which 
listens on the local port 3306 and relays the local connexions to the 
remote SQL server.

RE: port forwarding through localhost

[Andy B.]

I am using 2.6.19.2.

An intermediate tcp proxy method doesn't sound so nice, since iptables is
way more flexible to me :-/

Andy

-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Pascal Hambourg
Sent: Friday, January 26, 2007 23:50
To: netfilter@lists.netfilter.org
Subject: Re: port forwarding through localhost

Andy B. a écrit :
> Sorry about the "3333", it was a typo. Of course I meant 3306.
> 
> My rules are working when we are talking about the external interfaces
> (eth0), and the SQL Server is responding when talking directly to
10.0.0.100

You didn't say what is the kernel version. If it is >= 2.6.11, you're stuck.

As I suggested to someone else having the same problem as you, instead 
of using a DNAT rule you may use a TCP "proxy" such as stone 
(<http://www.gcd.org/sengoku/stone/>, supports UDP too) or 6tunnel 
(<http://toxygen.net/6tunnel/>, originally designed to relay connections 
between IPv6 and IPv4 hosts but works between IPv4 hosts too) which 
listens on the local port 3306 and relays the local connexions to the 
remote SQL server.

RE: port forwarding through localhost

[Jan Engelhardt]

>I am using 2.6.19.2.
>
>An intermediate tcp proxy method doesn't sound so nice, since iptables is
>way more flexible to me :-/

In fact, using such a proxy doubles the amount of packets transferred.

What you should have better done: use DNS instead of fixed IP addresses. That
way you could have had

  mysql IN A 127.0.0.1

before, and now change it noproblem to

  mysql IN A 192.168.123.45

But you have not, so better deal with it ;-)

	-`J'
-- 

RE: port forwarding through localhost

[Michael P. Brininstool]

I know this is a little late, but when doing services like this, it has
proved helpful in the past to have the customers use a FQDN
(full-qualified-domain-name) instead of an IP.  For example, I setup the
following: imap.domain.com, smtp.domain.com, www.domain.com,
mail.domain.com, mysql.domain.com, proxy.domain.com, ftp.domain.com, etc,
even if they are all on the same machine.  That way, as services need to be
split off onto their own machine, a simple DNS change moves the load.

In the manner of helping in your current situation, isn't there a -j
REDIRECT table?

--
Michael P. Brininstool
 

-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Andy B.
Sent: Friday, January 26, 2007 3:55 PM
To: netfilter@lists.netfilter.org
Subject: RE: port forwarding through localhost

I am using 2.6.19.2.

An intermediate tcp proxy method doesn't sound so nice, since iptables is
way more flexible to me :-/

Andy

-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Pascal Hambourg
Sent: Friday, January 26, 2007 23:50
To: netfilter@lists.netfilter.org
Subject: Re: port forwarding through localhost

Andy B. a écrit :
> Sorry about the "3333", it was a typo. Of course I meant 3306.
> 
> My rules are working when we are talking about the external interfaces 
> (eth0), and the SQL Server is responding when talking directly to
10.0.0.100

You didn't say what is the kernel version. If it is >= 2.6.11, you're stuck.

As I suggested to someone else having the same problem as you, instead of
using a DNAT rule you may use a TCP "proxy" such as stone
(<http://www.gcd.org/sengoku/stone/>, supports UDP too) or 6tunnel
(<http://toxygen.net/6tunnel/>, originally designed to relay connections
between IPv6 and IPv4 hosts but works between IPv4 hosts too) which listens
on the local port 3306 and relays the local connexions to the remote SQL
server.

RE: port forwarding through localhost

[Andy B.]

Yes, I know that I should have used some FQDN instead of localhost, but the
cirumstances that once were have changed a lot - I will do better next time
:-)

-j REDIRECT is imho just for redirecting towards the same host (localhost to
localhost), so of no use.

As a quick fix, I am now using rinetd which does the trick, but the overhead
is driving the server load up :-/

Andy

-----Original Message-----
From: Michael P. Brininstool [mailto:mikepb@hoplite.org] 
Sent: Tuesday, January 30, 2007 20:54
To: 'Andy B.'; netfilter@lists.netfilter.org
Subject: RE: port forwarding through localhost

I know this is a little late, but when doing services like this, it has
proved helpful in the past to have the customers use a FQDN
(full-qualified-domain-name) instead of an IP.  For example, I setup the
following: imap.domain.com, smtp.domain.com, www.domain.com,
mail.domain.com, mysql.domain.com, proxy.domain.com, ftp.domain.com, etc,
even if they are all on the same machine.  That way, as services need to be
split off onto their own machine, a simple DNS change moves the load.

In the manner of helping in your current situation, isn't there a -j
REDIRECT table?

--
Michael P. Brininstool