The mysql proxy cookbook has this recipe:
iptables -t nat -I PREROUTING \
-s ! 127.0.0.1 -p tcp \
--dport 3306 -j \
REDIRECT --to-ports 4040
It redirects remote clients attempting to connect to the default mysqld listen port to the mysql proxy daemon instead.
I had a legacy application with no support for port selection:
iptables -t nat -I PREROUTING \
-p tcp --destination dummyhostname --dport 3306 \
-j REDIRECT --to-ports 4040
This directs any connection to the dummy host port 3306 to instead go to the proxy - neat.
From this HP-UX security summary we see that HP-UX has ipfilter (new enough versions seem to have nat - older ones don't) and puts filter rules in /etc/opt/ipf/ipf.conf :
rdr lan0 20.20.20.5/32 port 80 -> 192.168.0.5 port 8000
redirects traffic from port 80 to port 8000, or how about some load balancing:
rdr lan0 20.20.20.5/32 port 80 -> 192.168.0.5,192.168.0.6 port 8000
A useful trick where the legacy application doesn't know about off host destinations and you would like to punt some of the load to another box.
ipf won't act as a reflector, which appears to mean that something like this doesn't work, even when I think that it should:
/etc/opt/ipf/ipnat.conf:
rdr lo0 127.0.0.1/32 port 7777 -> 192.168.0.42 port 23
# ipnat -CF -f /etc/opt/ipf/ipnat.conf
# ipnat -l
# ipnat -sv
Curious, as the interfaces are different.
Its also not clear if you have to enable ip forwarding on HP-UX with:
# ndd -set /dev/ip ip_forwarding 1
# ndd -get /dev/ip ip_forwarding
No comments:
Post a Comment