iptables DNAT of locally generated packets (localhost -> localhost -> remotehost)

Forums › Linux › iptables DNAT of locally generated packets (localhost -> localhost -> remotehost)

sleemanj

1474 posts

Uber Geek

#87441 29-Jul-2011 04:27

I want in plain english, attempts from localhost to connect to localhost:12345 to be nat'd to remotehost:12345

Before 2.6.11, this was possible if you had CONFIG_IP_NF_NAT_LOCAL in your kernel. After 2.6.11 this went away and I can not find a working solution (apart from using a SSH port forward or other user-level daemon based forwarding).

This is about as close as I have managed (remote is a google server for this example)....

YourIP=127.0.0.1
YourExternalIP=192.168.10.10
YourPort=12345
TargetIP=203.97.30.147
TargetPort=80

iptables -t nat -F
iptables -t nat -A PREROUTING --dst $YourIP -p tcp --dport $YourPort -j DNAT --to-destination $TargetIP:$TargetPort
iptables -t nat -A POSTROUTING -p tcp --dst $TargetIP --dport $TargetPort -j SNAT --to-source $YourExternalIP
iptables -t nat -A OUTPUT --dst $YourIP -p tcp --dport $YourPort -j DNAT --to-destination $TargetIP:$TargetPort

Anybody got any ideas?

---
James Sleeman
I sell lots of stuff for electronic enthusiasts...

Ragnor

8085 posts

Uber Geek

Trusted

#499442 29-Jul-2011 14:35

Can you explain why you need to do this, what application/service etc? Might be able to suggest a better alternative.

Sharesies

Trade NZ and US shares and funds with Sharesies (affiliate link).

sleemanj

1474 posts

Uber Geek

#499514 29-Jul-2011 17:50

It's actually what I have found is very typical (but unanswered) desire to intercept mysql connections (from a website) heading to localhost where there is no mysql and forwarding them to a remote mysql.

In this case I'm working on an EC2 AMI setup so that performance-struggling but legacy websites can with as little modification as possible be dropped into these instances and become a load balanced cluster - using a big EC2 instance as a central NFSv4 server and MySQL server, and then having smaller EC2 instances as necessary come up, without MySQL and using the NFSv4 mounted as their document_root.

Of course, I could "do it properly" and modify the deployed instances configuration systems per-instance to connect to the appropriate remote host's mysql, but in the spirit of abstraction and dealing with labyrinthine legacy stuff, it would be much nicer to just know that localhost gets you to mysql.

That said, I think it's just not nicely possible, perhaps by looping from lo out and back into eth0 and then out again, but, well, gross.

A user space daemon will probably have to do, at least as a fallback if changing the configs is not so suitable on a given site.

---
James Sleeman
I sell lots of stuff for electronic enthusiasts...