bugzilla-daemon at bugzilla.netfilter.org
2013-Jan-04 15:23 UTC
[Bug 804] New: localhost port forwarding to a different host with DNAT
http://bugzilla.netfilter.org/show_bug.cgi?id=804
Summary: localhost port forwarding to a different host with
DNAT
Product: netfilter/iptables
Version: unspecified
Platform: All
OS/Version: All
Status: NEW
Severity: enhancement
Priority: P5
Component: NAT
AssignedTo: netfilter-buglog at lists.netfilter.org
ReportedBy: hontvari at flyordie.com
Estimated Hours: 0.0
This is a feature request, if nothing else, it documents the issue. The web is
full with questions about forwarding a local port to a different host using
iptables, with or without the DNAT target. Forwarding to a different host is
well supported by netfilter/iptables. Except if the port is on the loopback
interface.
Most frequently these questions are related to MySQL. For example people would
like to implement a simple failover/failback solution. They would configure all
their applications to connect to a port on localhost, let's say the standard
MySQL port, localhost:3306. The port would be redirected to a different host,
which actually runs the MySQL server. They have more than one MySQL servers,
several slaves or a passive backup master. All of them are running on remote
hosts. In case of a database server failure, they do not want to reconfigure
and restart all of their applications, or to alter the source code of these
applications to include the switch logic. Instead they would change the port
redirection with an iptables command, so the localhost:3306 port would redirect
to another MySQL host, which is still up. This architecture is currently
impossible with netfilter. Currently the workaround is to use a proxy, but this
is an overkill. After all, what is really needed is simply replacing the
destination IP address from localhost to another host in packets. (At least on
the command level, I understand that the actual implementation is far more
complex).
The question about this kind of localhost forwarding is so frequent, that some
people are annoyed by it. But that is the better situation, 19 out of 20
questions receive well-intentioned, but misleading answers, which would work on
a firewall server with two external interfaces, but which does not work with
the loopback interface.
--
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
Seemingly Similar Threads
- [Bug 804] localhost port forwarding to a different host with DNAT
- [Bug 1160] New: dnat ip address not shown in nft list output when using port value
- [Bug 1428] New: Unable to dnat to port without defining destination address in inet table
- [Bug 763] New: dnat and snat not changing port numbers on sctp packets
- [Bug 1134] New: snat and dnat should accept mapping concatenated values for address and port
Wisdom of the Ancients
