2

I have an application in a Docker container. I have the DB in another Docker container. The DB container has an exposed port of 49155. The application requires that the database be exposed on port 3306 and I can't change that thanks to IonCube obfuscation. So, I can point my application to the database container just fine, but the application can't find the DB (wrong port).

My initial solution was to us IPTables to forward local requests on port 3306 to the remote container on port 49155 using:

iptables -t nat -A PREROUTING -p tcp --src 127.0.0.1 --dport 3306 -j REDIRECT --destination 192.168.200.212 --to-ports 49155

Still not working. Any thoughts?

EDIT

From application server tried:

iptables -t nat -I OUTPUT -p tcp --dst 192.168.200.212 --dport 3306 -j REDIRECT --to-ports 49155

and

iptables -t nat -A PREROUTING -p tcp --dport 3306 -j DNAT --to-destination 192.168.200.212:49155

Still no luck. Also ran nmap -p 3306 -sT 192.168.200.212 which showed 3306 as closed from the perspective of the application server.

Concordus Applications
  • 133
  • 1
  • 2
  • 7
  • your src won't be 127.0.0.1 it will be the IP of the interface being used ... unless the DB is on the same host – Skaperen Mar 05 '15 at 11:34

5 Answers5

1

If we refer to the NetFilter packet flow diagram, we can see that only the OUTPUT and POSTROUTING chains will be referred for packets generated by Local Processes.

So, I'd try these lines:

-t nat -A OUTPUT -p tcp --dst 192.168.200.212 --dport 3306 -j DNAT --to-destination 192.168.200.212:49155
-t nat -A POSTROUTING -p tcp --dst 192.168.200.212 --dport 3306 -j MASQUERADE

The first rule 'replaces' the destination IP:Port; the second rule 'replaces' the source IP:Port.

pepoluan
  • 5,038
  • 4
  • 47
  • 72
0

Have you tried with

iptables -t nat -I OUTPUT -p tcp --dst 192.168.200.212 --dport 80 3306 -j REDIRECT --to-ports 49155

?

KikoV
  • 160
  • 4
0

Try iptables on the DB server instead, i.e.

iptables -t nat -A PREROUTING -p tcp --dport 3306 -j REDIRECT --to-ports 49155

aseaudi
  • 256
  • 1
  • 5
  • The problem is that the only exposed port on the DB server is 49155, so even if I changed it on the DB server, the application server wouldn't have access to 3306. – Concordus Applications Jan 08 '14 at 21:02
  • Try on application side : iptables -t nat -A PREROUTING -p tcp --dport 3306 -j DNAT --to-destination 192.168.200.212:49155 – aseaudi Jan 08 '14 at 21:19
0

I would use DNAT for port forwarding at application server side, to forward port 3306 to port 49155 :

iptables -t nat -A PREROUTING -p tcp -–dport 3306 -j DNAT --to 192.168.200.212:49155

To setup port forwarding at Database server side i would use :

iptables -t nat -A PREROUTING -p tcp --dport 3306 -j REDIRECT --to-ports 49155

In both case --src 127.0.0.1 has nothing to do here.

If you want to filter on source ip, --src should be the application server ip address in both case.

krisFR
  • 13,280
  • 4
  • 36
  • 42
  • I'd have to do it from the application server side since I don't control the DB side. The DB accepts requests on 49155. I tried your solution and still no connection. I ran `nmap -p 3306 -sT 192.168.200.212` and it is showing port 3306 as closed. – Concordus Applications Jan 09 '14 at 00:58
0

I had similar issue. My working solution (based on https://serverfault.com/a/566852/475571):

-t nat -A OUTPUT -p tcp --dst 127.0.0.1 --dport 3306 -j DNAT --to-destination 192.168.200.212:49155
-t nat -A POSTROUTING -p tcp --dst 192.168.200.212 --dport 49155 -j MASQUERADE
Michal Lohniský
  • 1