Sorry about the "3333", it was a typo. Of course I meant 3306. My rules are working when we are talking about the external interfaces (eth0), and the SQL Server is responding when talking directly to 10.0.0.100 My complete ruleset looks like this: echo 1 > /proc/sys/net/ipv4/ip_forward iptables -F iptables -X iptables -Z iptables --table nat --flush iptables --delete-chain iptables --table nat --delete-chain iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 3306 -j DNAT --to 10.0.0.100 iptables -t nat -A OUTPUT -o lo -p tcp --dport 3306 -j DNAT --to 10.0.0.100:3306 The last rule is causing trouble, and it is the most important one, in order to not bother my customers to change their settings :-/ Andy -----Original Message----- From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Pascal Hambourg Sent: Friday, January 26, 2007 23:19 To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Re: port forwarding through localhost Hello, Andy B. a écrit : > > Webserver that uses many many mySQL connections to 127.0.0.1 (Port 3306). > > Now I would like to put the mySQL server onto a dedicated machine without > changing the "127.0.0.1" setting on a few hundred websites. > > The new mySQL Server listens on 10.0.0.100:3306 > > My first guess was the following ruleset on the webserver: > > iptables -t nat -A PREROUTING -p tcp -i lo --dport 3306 -j DNAT --to > 10.0.0.100 > > Then I tried to telnet 127.0.0.1 3306, which failed immediately Of course. Locally generated packets don't go into the PREROUTING chain. > I figured out the prerouting is no good for localhost and changed it into: > > iptables -t nat -A OUTPUT -o lo -p tcp --dport 3306 -j DNAT --to > 10.0.0.100:3306 > > telnet 127.0.0.1 3306 seems to do something, but not what I expected: > > $ telnet 127.0.0.1 3333 Why 3333 ? > Trying 127.0.0.1... > > <sleeping...... sleeping......> > > Timeout eventually. Does connecting directly to the SQL server work (no filtering rule that may block the connection) ? What is the kernel version ? Since 2.6.11, DNAT in the OUTPUT chain does not mangle the source address any more. But 127.0.0.1 is an invalid address for external communication and is rejected by the re-routing decision.