bugzilla-daemon at bugzilla.netfilter.org
2013-Jan-04 15:23 UTC
[Bug 804] New: localhost port forwarding to a different host with DNAT
http://bugzilla.netfilter.org/show_bug.cgi?id=804 Summary: localhost port forwarding to a different host with DNAT Product: netfilter/iptables Version: unspecified Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P5 Component: NAT AssignedTo: netfilter-buglog at lists.netfilter.org ReportedBy: hontvari at flyordie.com Estimated Hours: 0.0 This is a feature request, if nothing else, it documents the issue. The web is full with questions about forwarding a local port to a different host using iptables, with or without the DNAT target. Forwarding to a different host is well supported by netfilter/iptables. Except if the port is on the loopback interface. Most frequently these questions are related to MySQL. For example people would like to implement a simple failover/failback solution. They would configure all their applications to connect to a port on localhost, let's say the standard MySQL port, localhost:3306. The port would be redirected to a different host, which actually runs the MySQL server. They have more than one MySQL servers, several slaves or a passive backup master. All of them are running on remote hosts. In case of a database server failure, they do not want to reconfigure and restart all of their applications, or to alter the source code of these applications to include the switch logic. Instead they would change the port redirection with an iptables command, so the localhost:3306 port would redirect to another MySQL host, which is still up. This architecture is currently impossible with netfilter. Currently the workaround is to use a proxy, but this is an overkill. After all, what is really needed is simply replacing the destination IP address from localhost to another host in packets. (At least on the command level, I understand that the actual implementation is far more complex). The question about this kind of localhost forwarding is so frequent, that some people are annoyed by it. But that is the better situation, 19 out of 20 questions receive well-intentioned, but misleading answers, which would work on a firewall server with two external interfaces, but which does not work with the loopback interface. -- Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
Maybe Matching Threads
- [Bug 804] localhost port forwarding to a different host with DNAT
- [Bug 1160] New: dnat ip address not shown in nft list output when using port value
- [Bug 1428] New: Unable to dnat to port without defining destination address in inet table
- [Bug 763] New: dnat and snat not changing port numbers on sctp packets
- [Bug 1134] New: snat and dnat should accept mapping concatenated values for address and port