We needed to forward port 3307 to port 3306 to get around a new company wide firewall restriction blocking access to port 3306 (our MySQL server). It was a pain to find how to get port forwarding working in Ubuntu Server 12.04, which uses “ufw” as a front end to “iptables”. I couldn’t get it working without specifically forwarding to my IP, which I shouldn’t need to do (but at least it works).
This will forward port 3307 to 3306 so you can connect to your.ip.add.ress:3307 and have it automatically connect to a server (such as MySQL) on port 3306.
To do this you need “ufw” to be enabled, which you can check with “sudo ufw status”.
As part of setting up and testing routing rules in XenServer 6 I used the built in “lokkit” tool to temporarily turn off the firewall. Unfortunately, just opening the tool overwrote our custom “/etc/sysconfig/iptables” rules and cleared the file. This wasn’t a huge problem as we had a backup and just recreated it (you shouldn’t really be editing iptables manually anyway). On restarting iptables using “/etc/init.d/iptables restart” we received the error:
This is very easy to fix and is due to a setting in “/etc/sysconfig/iptables-config” which was set by “lokkit” by default. The issue is that iptables is trying to load the “ip_conntrack_netbios_ns” kernel module, which doesn’t exist by default in XenServer (and other linux distributions).
Find the following line at the top of “/etc/sysconfig/iptables-config”:
And set to:
A few people have said to also set “IPTABLES_MODULES_UNLOAD” to =”no”:
But I found that “/etc/init.d/iptables restart” still failed so I left it as “yes”. You may be able to set to “no” so try this first.
This will stop the missing kernel module being loaded and allow iptables to start properly.
If you get any other errors about loading modules when restarting iptables, check “/etc/sysconfig/iptables-config” isn’t trying to load something in “IPTABLES_MODULES=” that you don’t have installed.
Network address ranges are set slightly differently to standard wildcards. For example, to describe a range of IP addresses from 192.168.0.1 to 192.168.255.255 you use:
Where 16 describes the number of bits in the IP address that are used for comparison. In this case the 16 describes the first 2 bytes of the address: 192.168. You can read more about IP addressing at Rhyshaden’s Data Network Resource (and various other places).
To set your linux firewall up in webmin to use a range of IP addresses, just use the wildcard notation above. So in Webmin – Networking – Linux Firewall, when you are editing a rule in iptables you can put in 192.168.0.0/16 to describe a range of IPs (e.g. in the “source address or network” field to restrict access to a certain IP range). Manually setting these rules is more tricky but there are resources out there like Linux Home Networking and the Easy Firewall Generator to help. We just used Webmin as it makes this kind of work very easy indeed.