RE: NAT & MySQL

"Mark E. Donaldson" <markee@xxxxxxxxxxxxxxx> · Tue, 25 Nov 2003 11:23:48 -0800

The ACK 
packets you see in your dump are probably being dropped at the firewall because 
a state table entry does not exist.  So you need to add a NEW rule to do 
this:

iptables -A FORWARD -i ppp0 -o eth0 -m state --state NEW 
-j ACCEPT

this rule will 
then allow your ESTABLISHED,RELATED rule to work and permit those ACK packets to 
pass.

From: netfilter-admin@xxxxxxxxxxxxxxxxxxx 
[mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of 
adburne
Sent: Tuesday, November 25, 2003 4:18 AM
To: 
netfilter@xxxxxxxxxxxxxxxxxxx
Subject: NAT & 
MySQL

      Someone can make NAT with mysql? I've tried for a long time without 
      make it work.

      My natural language is spanish, sorry by mistakes writing in 
      english.

      This is the situation:

      I've have a linux box as gateway between my lan and internet routing 
      paquets without problems, I need access from internet another linux box 
      running apache and mysql on my private lan.
      To do this work I try to use nat; with apache all works ok, but with 
      mysql can't connect. I'll be looking on different network devices using 
      tcpdump to find what's wrong.

      This is what tcpdump show on device eth0 on my mysql server (inside 
      the lan), there is a petition from 200.10.10.1 (internet client) to 
      192.168.0.80 (mysql lan server), this reply with ack, but internet 
      client don't 
      reply. Any clue? =)

      200.10.10.1.56405 > 192.168.0.80.3306: S 2205542765:2205542765(0) 
      win 5840 <mss
1412,sackOK,timestamp 620645629 0,nop,wscale 0> 
      (DF)
192.168.0.80.3306 > 200.10.10.1.56405: S 
      2497023396:2497023396(0) ack 2205542766
 win 5792 <mss 
      1460,sackOK,timestamp 95764658 620645629,nop,wscale 0> 
      (DF)
200.10.10.1.56405 > 192.168.0.80.3306: R 
      2205542766:2205542766(0) win 0 (DF)
200.10.10.1.56405 > 
      192.168.0.80.3306: S 2205542765:2205542765(0) win 5840 
      <mss
1412,sackOK,timestamp 620648701 0,nop,wscale 0> 
      (DF)
192.168.0.80.3306 > 200.10.10.1.56405: S 
      2503023731:2503023731(0) ack 2205542766
 win 5792 <mss 
      1460,sackOK,timestamp 95765258 620648701,nop,wscale 0> 
      (DF)
200.10.10.1.56405 > 192.168.0.80.3306: R 
      2205542766:2205542766(0) win 0 (DF)

      The forward rules on the gateway are:

      # "Accept forward all connections to port 3306 on 
      ppp0"
iptables -A FORWARD -p tcp -i ppp0 --dport 3306 -o eth0 -j 
      ACCEPT
      # "All stablished connections are ok"
iptables -A 
      FORWARD -i ppp0 -o eth0 -m state --state 
      ESTABLISHED,RELATED -j ACCEPT
# "All connection from inside 
      to outside are accepted"
iptables -A FORWARD -i eth0 
      -o ppp0 -j ACCEPT
      # "Rest go away"
      iptables -A FORWARD -j REJECT

      NAT rule:
      iptables -t nat -A PREROUTING -p tcp -i ppp0 --dport 3306 -j DNAT 
      --to 192.168.0.80 -s 200.10.10.1

      If someone can make the light turn on, thanks!!!!

      Alejandro

_________________________________________________________________

IncrediMail - El E-mail ha evolucionado finalmente - Haga clic 
aquí