Port Forwarding 3306

Iyengar · Post by **Iyengar** » 2015/03/23 20:07:55

I have a CentOS 5.11 server with 2 NICs. with the following configs
DEVICE=eth0
BOOTPROTO=none
ONBOOT=yes
HWADDR=00:13:20:7f:6d:92
NETMASK=255.255.255.0
IPADDR=192.168.1.10
DNS1=127.0.0.1
DNS2=72.72.72.72
DNS3=72.72.72.73
DOMAIN=mydomain.com
DEFROUTE=yes
IPV4_FAILURE_FATAL=yes
IPV6INIT=no
TYPE=Ethernet
USERCTL=no
IPV6INIT=no
PEERDNS=yes

# Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller
DEVICE=eth1
BOOTPROTO=none
ONBOOT=yes
HWADDR=c4:6e:1f:01:f1:a5
NETMASK=255.255.255.0
IPADDR=10.15.1.10
TYPE=Ethernet
USERCTL=no
IPV6INIT=no
PEERDNS=yes
DEFROUTE=no
DNS1=127.0.0.1
DNS2=10.25.25.52
DNS3=10.25.25.53
DOMAIN=mydomain.com
IPV4_FAILURE_FATAL=yes

I am trying to forward port 3306 to 10.20.1.250:3306 so far I have tried doing this

iptables -t nat -A PREROUTING -p tcp --dport 3306 -j DNAT --to-destination 10.20.1.250:3306
iptables -t nat -A PREROUTING -p udp --dport 3306 -j DNAT --to-destination 10.20.1.250:3306
iptables -t nat -A POSTROUTING -p tcp -d 10.20.1.250 --dport 3306 -j SNAT --to-source 192.168.1.10
iptables -t nat -A POSTROUTING -p udp -d 10.20.1.250 --dport 3306 -j SNAT --to-source 192.168.1.10

When I try to connect to mysql server from 192.168.1.11, It just hangs
if I try to use putty with ssh tunneling and 3306 configured from outside (Router forwards all SSH requests to 192.168.1.10:22), I get a communications link failure.

However when I do the following
iptables -t nat -A PREROUTING -p tcp --dport 3306 -j DNAT --to-destination 10.20.1.250:3306
iptables -t nat -A PREROUTING -p udp --dport 3306 -j DNAT --to-destination 10.20.1.250:3306
iptables -t nat -A POSTROUTING -p tcp -d 10.20.1.250 --dport 3306 -j SNAT --to-source 10.15.1.10
iptables -t nat -A POSTROUTING -p udp -d 10.20.1.250 --dport 3306 -j SNAT --to-source 10.15.1.10

then I can connect from 10.15.1.20.

I am not sure what I am doing wrong here? Any help here is appreciated.

Also this iptables fails to start with the following error message
Applying iptables firewall rules: iptables-restore v1.3.5: Can't set policy `PREROUTING' on `ACCEPT' line 4: Bad built-in chain name

first few lines in /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp --dport 3306 -j DNAT --to-destination 10.20.1.250:3306
-A PREROUTING -p tcp -m udp --dport 3306 -j DNAT --to-destination 10.20.1.250:3306
-A POSTROUTING -d 10.20.1.250/32 -p tcp -m tcp --dport 3306 -j SNAT --to-source 10.15.1.10
-A POSTROUTING -d 10.20.1.250/32 -p udp -m udp --dport 3306 -j SNAT --to-source 10.15.1.10