Search Postgresql Archives

Re: Port forwarding via iptables to postgres listening locally

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 06/19/2011 08:35 PM, David Resnick wrote:

Thanks a lot for your reply!

OK, the source and destination parameters were not intended to hide
anything. Setting them like that got the same results in the iptables
status output as when not specifying --source and --destination at all.


Whoops, I missed that in the docs. Thanks for clarifying.


Does --source need to be set to the address the machine is listening at?


No, it's the real source of the traffic.


Chain PREROUTING (policy ACCEPT 242 packets, 27431 bytes)
  pkts bytes target     prot opt in     out     source
destination
     0     0 REDIRECT   tcp  --  *      *       192.23.25.177
127.0.0.1           tcp dpt:5432
Do you have any INPUT rule that explicitly ALLOWs traffic from 0.0.0.0/0 to 192.23.25.177/32 on tcp port 5432 ? Or a more general rule that allows that traffic too?
Remember that INPUT and FORWARD rules act on traffic *after* the PREROUTING rules have been applied, so you need to specify the destination host and port as 192.168.25.177 port 5432, not whatever host and port your gateway has.
It's often helpful to insert a -j LOG rule just before the end of each table, with a log prefix like 'INPUT_dfl_drop', 'OUTPUT_dfl_drop', etc just before the end of the INPUT, OUTPUT and FORWARD tables. That way you can see what traffic your firewall is dropping in the logs. You'll find that you need to add explicit DROP rules to silently drop certain high-noise traffic without logging it first. Logging dropped traffic not explicitly matched by any rule is something I find extremely handy as a diagnostic aid. 

This is really a bit off-topic for the PostgreSQL mailing list, though.



07:01:38.671236 IP 192.23.197.91.36349 > 192.23.25.177.postgresql: S
2589386703:2589386703(0) win 5840 <mss 1400,sackOK,timestamp 1081689372
0,nop,wscale 6>
OK, so a series of connection requests and no replies, but after the PREROUTING rule has been applied so you're seeing the transformed addresses.
I'd say you need a rule in the FORWARD table to allow that traffic to be forwarded. 


I've turned on connection logging in postgres; there is no indication of
any connection attempt. There don't seem to be any additional rules
configured in iptables that would drop the packets.


Are the tables set to drop by default, or allow by default?

--
Craig Ringer

--
Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Postgresql Jobs]     [Postgresql Admin]     [Postgresql Performance]     [Linux Clusters]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Books]     [PHP Databases]     [Postgresql & PHP]     [Yosemite]
  Powered by Linux