[Bug 804] New: localhost port forwarding to a different host with DNAT

bugzilla-daemon at bugzilla.netfilter.org bugzilla-daemon at bugzilla.netfilter.org
Fri Jan 4 16:23:22 CET 2013


           Summary: localhost port forwarding to a different host with
           Product: netfilter/iptables
           Version: unspecified
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: NAT
        AssignedTo: netfilter-buglog at lists.netfilter.org
        ReportedBy: hontvari at flyordie.com
   Estimated Hours: 0.0

This is a feature request, if nothing else, it documents the issue. The web is
full with questions about forwarding a local port to a different host using
iptables, with or without the DNAT target. Forwarding to a different host is
well supported by netfilter/iptables. Except if the port is on the loopback

Most frequently these questions are related to MySQL. For example people would
like to implement a simple failover/failback solution. They would configure all
their applications to connect to a port on localhost, let's say the standard
MySQL port, localhost:3306. The port would be redirected to a different host,
which actually runs the MySQL server. They have more than one MySQL servers,
several slaves or a passive backup master. All of them are running on remote
hosts. In case of a database server failure, they do not want to reconfigure
and restart all of their applications, or to alter the source code of these
applications to include the switch logic. Instead they would change the port
redirection with an iptables command, so the localhost:3306 port would redirect
to another MySQL host, which is still up. This architecture is currently
impossible with netfilter. Currently the workaround is to use a proxy, but this
is an overkill. After all, what is really needed is simply replacing the
destination IP address from localhost to another host in packets. (At least on
the command level, I understand that the actual implementation is far more

The question about this kind of localhost forwarding is so frequent, that some
people are annoyed by it. But that is the better situation, 19 out of 20
questions receive well-intentioned, but misleading answers, which would work on
a firewall server with two external interfaces, but which does not work with
the loopback interface.

Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the netfilter-buglog mailing list