Skip to main content
Unix & Linux

Return to Question

added 44 characters in body
Source Link
Kamil
Kamil
  • 799
  • 1
  • 10
  • 26

my web application stops working, because mysql throws login error when web application tries to connect, because. From mysql point of view the connection is coming from 10.1.0.1 address (gateway on LAN side) instead of real 10.1.0.210 (from mysql point of viewmysql user [email protected] is allowed to connect, but user [email protected] is not allowed).

Is itI guess this is because all connections ono 3306 port now go thru NAT? and NAT translates 10.1.0.210 to 10.1.0.1.

I guessProbably I should "narrow" these nat rules to work only when connection comes only from WAN, but I have not enough knowledge about networks and iptables to mess it up on production server.

mysql throws login error when web application tries to connect, because connection is coming from 10.1.0.1 address (gateway on LAN side) instead of real 10.1.0.210 (from mysql point of view user [email protected] is allowed to connect, but user [email protected] is not allowed).

Is it because all connections on 3306 port now go thru NAT?

I guess I should "narrow" these nat rules to work only when connection comes only from WAN, but I have not enough knowledge about networks and iptables to mess it up on production server.

my web application stops working, because mysql throws login error when web application tries to connect. From mysql point of view the connection is coming from 10.1.0.1 address (gateway on LAN side) instead of real 10.1.0.210 (mysql user [email protected] is allowed to connect, but user [email protected] is not allowed).

I guess this is because all connections o 3306 port now go thru NAT and NAT translates 10.1.0.210 to 10.1.0.1.

Probably I should "narrow" these nat rules to work only when connection comes only from WAN, but I have not enough knowledge about networks and iptables to mess it up on production server.

Source Link
Kamil
Kamil
  • 799
  • 1
  • 10
  • 26

Mysql user connects from gateway IP after turning on port redirection on NAT

I have two containers on virtualization host that has "LAN" bridge (vmbr1) and "WAN" bridge (vmbr0).

Virtualization host has public IP (lets assume dummy 123.123.123.123) configured on vmbr0 bridge.

Inside this virtualization host I have two containers:

  • web container (10.1.0.210/24)
  • database container (10.1.0.250/24)

Web container is using mysql database. It is configured to connect 10.1.0.250:3306.

In mysql I have user for web application, which is allowed to connect only from web host (10.1.0.210).

Everything was working fine until I have added these NAT rules (supposed to allow connections from WAN). This is from my /etc/network/interfaces vmbr1 (LAN) configuration:

# there is no need to add -m multiport here, these rules are from my "template"
# post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp -m multiport --dport 3306 -j DNAT --to-destination 10.5.0.250
# post-up iptables -t nat -A POSTROUTING -o vmbr1 -p tcp -m multiport --dport 3306 -d 10.5.0.250 -j SNAT --to-source 10.5.0.1
# pre-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp -m multiport --dport 3306 -j DNAT --to-destination 10.5.0.250
# pre-down iptables -t nat -D POSTROUTING -o vmbr1 -p tcp -m multiport --dport 3306 -d 10.5.0.250 -j SNAT --to-source 10.5.0.1

The problem is that when I add these rules to iptables:

iptables -t nat -A PREROUTING -i vmbr0 -p tcp -m multiport --dport 3306 -j DNAT --to-destination 10.5.0.250
iptables -t nat -A POSTROUTING -o vmbr1 -p tcp -m multiport --dport 3306 -d 10.5.0.250 -j SNAT --to-source 10.5.0.1

mysql throws login error when web application tries to connect, because connection is coming from 10.1.0.1 address (gateway on LAN side) instead of real 10.1.0.210 (from mysql point of view user [email protected] is allowed to connect, but user [email protected] is not allowed).

Is it because all connections on 3306 port now go thru NAT?

How can I fix this?

I guess I should "narrow" these nat rules to work only when connection comes only from WAN, but I have not enough knowledge about networks and iptables to mess it up on production server.