I got a request from a client today to redirect port 3306 on his localhost port to an external db server.
I started down my usual road of port redirection with iptables, before I began to realize that I couldn’t successfully DNAT localhost. It’s not a normal interface and doesn’t behave like one. I didn’t have a lot of time to spend on this one or I probably would have dug into iptables further to see if I could figure out a more elegant way to solve the problem (and I may still go back and play around in my own private environments to see if I can), but this is what I came up with that seemed to work a charm.
From the config file:
sh-4.1# cat /etc/xinetd.d/mysql
socket_type = stream
wait = no
user = root
redirect = 192.168.100.100 3306
bind = 127.0.0.1
A quick check that it was binding after an xinetd restart:
sh-4.1# netstat -natp | grep LISTEN | grep 3306
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 30264/xinetd
And after adjusting the users on the db server to permit remote access via the server’s ip address, it was working like a champ.
One note: if you use a user’s my.cnf file to set username and password, you need to modify it to look like:
sh-4.1# cat .my.cnf
protocol = TCP
or via command line parameter:
sh-4.1# mysql -h localhost -u USERNAME -p --protocol=tcp
otherwise it keeps looking for the mysql sock file. What this effectively means for php scripts is that you need to use 127.0,0.1 rather than “localhost”, to force the tcp connection.