Hi all,
I have a problem using source nat rules to discriminate traffic on one
host. This host has several ip aliases assigned to provide several
services. Problem starts with mysql client. This host needs to access to
another host that acts as MySQL server. This MySQL server has some acls
configured to access databases, in this manner:
- BBDD_1 can only be accessed by ip address 172.21.2.2.
- BBDD_2 can only be accessed by ip address 172.21.2.3
Both ip address, 172.21.2.2 and 172.21.2.3, are assigned to the first
host that acts as a mysql client. Latest release of mysql client
contains an option to pass --bind-ip-address, but my mysql client
version not (and I can't do an upgrade due to a tecnical specifications).
Then, I need to discrimanate traffic on mysql host client when it
tries to access to mysql server. I have found a partial solution putting
this iptables rule:
iptables -t nat -A POSTROUTING -o eth1 -d 172.17.3.3 -p tcp --dport
3306 -j SNAT --to-source 172.21.2.2
This rule works ok when mysql client tries to access to BBDD_1, but
not when it tries to access to BBDD_2 because connects with 172.21.2.2
ip address and mysql host denies traffic.
Another point: mysql client host principal ip address is 172.21.2.1,
and I can't change it.
How can I resolve this?? Is it possible??
--
CL Martinez
carlopmart {at} gmail {d0t} com
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
