0

I find this similar thread but don't work: https://stackoverflow.com/questions/10864854/forwarding-mysql-connection-with-iptables-and-differents-network-interfaces?rq=1

My environment as follows:

  • Computer A has two network interfaces: eth0 192.168.42.67 and eth1 192.168.110.2, with MySQL client installed, selinux disabled.
  • Computer B has only one network interface: eth0 192.168.110.4, with MySQL Server installed, iptables stopped, selinux disabled.

On Computer A , I use command mysql -h192.168.110.4 -uroot -p connect to MySQL on Computer B successfully.

Computer A's /etc/sysconfig/iptables looks as follows:

[root@net ~]# cat /etc/sysconfig/iptables  
# Generated by iptables-save v1.4.7 on Mon Jun  9 20:25:07 2014  
*filter  
:INPUT ACCEPT [0:0]  
:FORWARD ACCEPT [0:0]  
:OUTPUT ACCEPT [1:140]  
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT  
-A INPUT -i lo -j ACCEPT  
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT  
COMMIT  
# Completed on Mon Jun  9 20:25:07 2014  
# Generated by iptables-save v1.4.7 on Mon Jun  9 20:25:07 2014  
*nat  
:PREROUTING ACCEPT [0:0]  
:POSTROUTING ACCEPT [0:0]  
:OUTPUT ACCEPT [0:0]  
-A PREROUTING -p tcp -m tcp --dport 3306 -j LOG --log-prefix "REX_NAT_PRE2:"  
-A PREROUTING -p tcp -m tcp --dport 3306 -j DNAT --to-destination 192.168.110.4:3306  
-A POSTROUTING -s 192.168.110.4/32 -j MASQUERADE  
-A POSTROUTING -p tcp -j LOG --log-prefix "REX_NAT_POST:"  
COMMIT

NOTE: I set default policy for every chain to ACCEPT.

I hope i can use mysql -h192.168.42.67 -uroot -p on Computer A to manipulate Computer B's MySQL

I have also executed modprobe iptable_nat and echo 1 > /proc/sys/net/ipv4/ip_forward

Community
  • 1
lost_in
  • 3
  • 2

2 Answers2

0

Your PREROUTING rules do not apply to packets from A, because PREROUTING is only applied to forwarded packets and not to locally generated packets. Instead you can use the OUTPUT chain, which is for locally generated packets.

For both PREROUTING and OUTPUT I recommend that you add -d 192.168.42.67 to the DNAT rule, such that it doesn't match packets it wasn't intended to match.

Additionally, I recommend that you add -o eth0 or -o eth1 to the MASQUERADE rule in the POSTROUTING chain, such that it doesn't match packets it wasn't intended to match.

kasperd
  • 30,455
  • 17
  • 76
  • 124
  • thanks for your reply, but i use a third computer C `192.168.42.77`, i can't use `mysql -h192.168.42.67-uroot -p` to connect MySQL yet, can you give me some tips? – lost_in Aug 31 '14 at 08:58
  • 2
    @lost_in Yes, please edit your question so that _all_ the necessary details are present. – Michael Hampton Aug 31 '14 at 09:44
0

Change this rule 

-A POSTROUTING -s 192.168.110.4/32 -j MASQUERADE

to 

-A POSTROUTING -p tcp -m tcp -d 192.168.110.4/32 --dport 3306 -j MASQUERADE

This would be enough with other rules you have specified.

Navern
  • 1,619
  • 1
  • 10
  • 14
  • yes, it works, thank you , it buzzled me so long!!! can you explain why it works or suggest me some stuff to read ? – lost_in Aug 31 '14 at 10:14
  • Yes, sure. It works because you need to NAT packets which are going TO 192.168.110.4, so it's destination address. You could solve it without NAT, just adding routes on computers C and computer B. To understand how it works you need to understand how routing decisions being made and how network works. You can read Computer Networks (5th Edition) by Andrew Tanenbaum. Also "man iptables" will describe syntax of iptables and provide additional info about chains and how packets are proceed. – Navern Aug 31 '14 at 10:43
  • Also please mark answer as "Answered" if it solves your issue:) for future reference. – Navern Aug 31 '14 at 11:21