On 04/26/2011 11:15 AM, Jan Engelhardt wrote:
On Tuesday 2011-04-26 11:07, carlopmart wrote:
Hi all,
I have a problem using source nat rules to discriminate traffic on one host.
This host has several ip aliases assigned to provide several services. Problem
starts with mysql client. This host needs to access to another host that acts
as MySQL server. This MySQL server has some acls configured to access
databases, in this manner:
- BBDD_1 can only be accessed by ip address 172.21.2.2.
- BBDD_2 can only be accessed by ip address 172.21.2.3
Both ip address, 172.21.2.2 and 172.21.2.3, are assigned to the first host
that acts as a mysql client. Latest release of mysql client contains an option
to pass --bind-ip-address, but my mysql client version not (and I can't do an
upgrade due to a tecnical specifications).
Then, I need to discrimanate traffic on mysql host client when it tries to
access to mysql server. I have found a partial solution putting this iptables
rule:
iptables -t nat -A POSTROUTING -o eth1 -d 172.17.3.3 -p tcp --dport 3306 -j
SNAT --to-source 172.21.2.2
This rule works ok when mysql client tries to access to BBDD_1
Assuming BBDD_1 is 172.17.3.2, this rule won't be considered at all. Of
course stuff works because some address is the client's default.
MySQL host ip address is 172.17.3.3, always, to all BBDD.
--
CL Martinez
carlopmart {at} gmail {d0t} com
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
