Category Archives: iptables
Sanction, my little script for on the fly blocking of an entire ip set belonging to a specific country, has been updated to include ipset support if ipset is installed.
There’s still a few items on the wish list for this. Correct chaining in iptables for servers without ipset, setting up a clear and logical way to persist the ipset rules through a reboot, etc. For now, if you are looking for a quick and easy way to ban a country from accessing a port (or all ports) on your server, with iptables or ipset, sanction may be what you are looking for.
I got a request from a client today to redirect port 3306 on his localhost port to an external db server.
I started down my usual road of port redirection with iptables, before I began to realize that I couldn’t successfully DNAT localhost. It’s not a normal interface and doesn’t behave like one. I didn’t have a lot of time to spend on this one or I probably would have dug into iptables further to see if I could figure out a more elegant way to solve the problem (and I may still go back and play around in my own private environments to see if I can), but this is what I came up with that seemed to work a charm.
From the config file:
sh-4.1# cat /etc/xinetd.d/mysql
socket_type = stream
wait = no
user = root
redirect = 192.168.100.100 3306
bind = 127.0.0.1
A quick check that it was binding after an xinetd restart:
sh-4.1# netstat -natp | grep LISTEN | grep 3306
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 30264/xinetd
And after adjusting the users on the db server to permit remote access via the server’s ip address, it was working like a champ.
One note: if you use a user’s my.cnf file to set username and password, you need to modify it to look like:
sh-4.1# cat .my.cnf
protocol = TCP
or via command line parameter:
sh-4.1# mysql -h localhost -u USERNAME -p --protocol=tcp
otherwise it keeps looking for the mysql sock file. What this effectively means for php scripts is that you need to use 127.0,0.1 rather than “localhost”, to force the tcp connection.
I made a quick change on a client’s iptables configuration and went to save the iptables rules out when I encountered an error I’d never seen before:
iptables: Saving firewall rules to /etc/sysconfig/iptables: /etc/init.d/iptables: line 274: restorecon: command not found
A quick search later, I found it was fairly easy to resolve. There was just a missing package:
[root@server ~]# yum install policycoreutils
And all was well…
Ran into this one today for a client and it has been such a long time since I had to do any NAT routing with iptables, it took me a bit to suss it out again how it was done properly. In light of that, documenting it here so it is easier to find 5 years from now when I need to do it again. 😉
Set forwarding in sysctl.cnf:
net.ipv4.ip_forward = 1
Then set the two rules. One to route the traffic to the remote host and the other to route it back:
# iptables -A PREROUTING -t nat -p tcp -d ip.of.box.1 –dport 3306 -j DNAT –to-destination ip.of.box.2
# iptables -A POSTROUTING -t nat -p tcp -d ip.of.box.2 –dport 3306 -j SNAT –to-source ip.of.box.1
Presto! All traffic to “ip.of.box.1” on port 3306 is now being routed out to 3306 on “ip.of.box.2”.