Re: Port forwarding via iptables to postgres listening locally

Поиск
Список
Период
Сортировка
От Craig Ringer
Тема Re: Port forwarding via iptables to postgres listening locally
Дата
Msg-id 4DFE02B6.5060906@postnewspapers.com.au
обсуждение исходный текст
Ответ на Re: Port forwarding via iptables to postgres listening locally  (David Resnick <abunetta@gmail.com>)
Ответы Re: Port forwarding via iptables to postgres listening locally  (David Resnick <abunetta@gmail.com>)
Список pgsql-general
Дерево обсуждения 
On 06/19/2011 08:35 PM, David Resnick wrote:
> Thanks a lot for your reply!
>
> OK, the source and destination parameters were not intended to hide
> anything. Setting them like that got the same results in the iptables
> status output as when not specifying --source and --destination at all.

Whoops, I missed that in the docs. Thanks for clarifying.

> Does --source need to be set to the address the machine is listening at?

No, it's the real source of the traffic.

> Chain PREROUTING (policy ACCEPT 242 packets, 27431 bytes)
>   pkts bytes target     prot opt in     out     source
> destination
>      0     0 REDIRECT   tcp  --  *      *       192.23.25.177
> 127.0.0.1           tcp dpt:5432

Do you have any INPUT rule that explicitly ALLOWs traffic from 0.0.0.0/0
to 192.23.25.177/32 on tcp port 5432 ? Or a more general rule that
allows that traffic too?

Remember that INPUT and FORWARD rules act on traffic *after* the
PREROUTING rules have been applied, so you need to specify the
destination host and port as 192.168.25.177 port 5432, not whatever host
and port your gateway has.

It's often helpful to insert a -j LOG rule just before the end of each
table, with a log prefix like 'INPUT_dfl_drop',  'OUTPUT_dfl_drop', etc
just before the end of the INPUT, OUTPUT and FORWARD tables. That way
you can see what traffic your firewall is dropping in the logs. You'll
find that you need to add explicit DROP rules to silently drop certain
high-noise traffic without logging it first. Logging dropped traffic not
explicitly matched by any rule is something I find extremely handy as a
diagnostic aid.

This is really a bit off-topic for the PostgreSQL mailing list, though.


> 07:01:38.671236 IP 192.23.197.91.36349 > 192.23.25.177.postgresql: S
> 2589386703:2589386703(0) win 5840 <mss 1400,sackOK,timestamp 1081689372
> 0,nop,wscale 6>

OK, so a series of connection requests and no replies, but after the
PREROUTING rule has been applied so you're seeing the transformed addresses.

I'd say you need a rule in the FORWARD table to allow that traffic to be
forwarded.

> I've turned on connection logging in postgres; there is no indication of
> any connection attempt. There don't seem to be any additional rules
> configured in iptables that would drop the packets.

Are the tables set to drop by default, or allow by default?

--
Craig Ringer

В списке pgsql-general по дате отправления:

Предыдущее
От: David Resnick
Дата:
Сообщение: Re: Port forwarding via iptables to postgres listening locally
Следующее
От: Scott Ribe
Дата:
Сообщение: Re: Another RAID controller recommendation question