On Tuesday 2011-04-26 11:07, carlopmart wrote: > Hi all, > > I have a problem using source nat rules to discriminate traffic on one host. > This host has several ip aliases assigned to provide several services. Problem > starts with mysql client. This host needs to access to another host that acts > as MySQL server. This MySQL server has some acls configured to access > databases, in this manner: > > - BBDD_1 can only be accessed by ip address 172.21.2.2. > - BBDD_2 can only be accessed by ip address 172.21.2.3 > > Both ip address, 172.21.2.2 and 172.21.2.3, are assigned to the first host > that acts as a mysql client. Latest release of mysql client contains an option > to pass --bind-ip-address, but my mysql client version not (and I can't do an > upgrade due to a tecnical specifications). > > Then, I need to discrimanate traffic on mysql host client when it tries to > access to mysql server. I have found a partial solution putting this iptables > rule: > > iptables -t nat -A POSTROUTING -o eth1 -d 172.17.3.3 -p tcp --dport 3306 -j > SNAT --to-source 172.21.2.2 > > This rule works ok when mysql client tries to access to BBDD_1 Assuming BBDD_1 is 172.17.3.2, this rule won't be considered at all. Of course stuff works because some address is the client's default. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html