I got a request from a client today to redirect port 3306 on his localhost port to an external db server.

I started down my usual road of port redirection with iptables, before I began to realize that I couldn’t successfully DNAT localhost. It’s not a normal interface and doesn’t behave like one. I didn’t have a lot of time to spend on this one or I probably would have dug into iptables further to see if I could figure out a more elegant way to solve the problem (and I may still go back and play around in my own private environments to see if I can), but this is what I came up with that seemed to work a charm.

Xinetd.

From the config file:

sh-4.1# cat /etc/xinetd.d/mysql
service mysql
{
socket_type = stream
wait = no
user = root
redirect = 192.168.100.100 3306
bind = 127.0.0.1
}

A quick check that it was binding after an xinetd restart:

sh-4.1# netstat -natp | grep LISTEN | grep 3306
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 30264/xinetd
sh-4.1#

And after adjusting the users on the db server to permit remote access via the server’s ip address, it was working like a champ.

One note: if you use a user’s my.cnf file to set username and password, you need to modify it to look like:

sh-4.1# cat .my.cnf
[client]
user=USERNAME
password=PASSWORD
protocol = TCP

or via command line parameter:

sh-4.1# mysql -h localhost -u USERNAME -p --protocol=tcp

otherwise it keeps looking for the mysql sock file. What this effectively means for php scripts is that you need to use 127.0,0.1 rather than “localhost”, to force the tcp connection.


Category: iptables, xinetd

Leave a Reply

Categories


gives good tech

tech.superhappykittymeow.com
Kale is one of the smartest people I know

Racker Hacker
Major is always good for leet deetz