Re: Port forwarding via iptables to postgres listening locally

From: Craig Ringer <craig(at)postnewspapers(dot)com(dot)au>
To: David Resnick <abunetta(at)gmail(dot)com>
Cc: pgsql-general(at)postgresql(dot)org, zhong ming wu <mr(dot)z(dot)m(dot)wu(at)gmail(dot)com>
Subject: Re: Port forwarding via iptables to postgres listening locally
Date: 2011-06-19 14:07:50
Message-ID: 4DFE02B6.5060906@postnewspapers.com.au
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

On 06/19/2011 08:35 PM, David Resnick wrote:
> Thanks a lot for your reply!
>
> OK, the source and destination parameters were not intended to hide
> anything. Setting them like that got the same results in the iptables
> status output as when not specifying --source and --destination at all.

Whoops, I missed that in the docs. Thanks for clarifying.

> Does --source need to be set to the address the machine is listening at?

No, it's the real source of the traffic.

> Chain PREROUTING (policy ACCEPT 242 packets, 27431 bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 REDIRECT tcp -- * * 192.23.25.177
> 127.0.0.1 tcp dpt:5432

Do you have any INPUT rule that explicitly ALLOWs traffic from 0.0.0.0/0
to 192.23.25.177/32 on tcp port 5432 ? Or a more general rule that
allows that traffic too?

Remember that INPUT and FORWARD rules act on traffic *after* the
PREROUTING rules have been applied, so you need to specify the
destination host and port as 192.168.25.177 port 5432, not whatever host
and port your gateway has.

It's often helpful to insert a -j LOG rule just before the end of each
table, with a log prefix like 'INPUT_dfl_drop', 'OUTPUT_dfl_drop', etc
just before the end of the INPUT, OUTPUT and FORWARD tables. That way
you can see what traffic your firewall is dropping in the logs. You'll
find that you need to add explicit DROP rules to silently drop certain
high-noise traffic without logging it first. Logging dropped traffic not
explicitly matched by any rule is something I find extremely handy as a
diagnostic aid.

This is really a bit off-topic for the PostgreSQL mailing list, though.

> 07:01:38.671236 IP 192.23.197.91.36349 > 192.23.25.177.postgresql: S
> 2589386703:2589386703(0) win 5840 <mss 1400,sackOK,timestamp 1081689372
> 0,nop,wscale 6>

OK, so a series of connection requests and no replies, but after the
PREROUTING rule has been applied so you're seeing the transformed addresses.

I'd say you need a rule in the FORWARD table to allow that traffic to be
forwarded.

> I've turned on connection logging in postgres; there is no indication of
> any connection attempt. There don't seem to be any additional rules
> configured in iptables that would drop the packets.

Are the tables set to drop by default, or allow by default?

--
Craig Ringer

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Scott Ribe 2011-06-19 15:01:22 Re: Another RAID controller recommendation question
Previous Message David Resnick 2011-06-19 12:35:57 Re: Port forwarding via iptables to postgres listening locally