Virtual Network Interface and NAT disables localhost access for MySQL and Apache
- by Interarticle
I'm running an Ubuntu Server 12.04, and recently I configured it to do NAT for my laptop. Since the server has only one NIC, I followed instructions online to create a virtual network device (eth0:0) that has a LAN IP address, then further configured iptables and UFW to allow internet sharing. However, just a few days ago, I discovered that one of the PHP pages hosted on the server failed for no apparent reason. A little digging revealed that the MySQL server started refusing connections from localhost. The same happened with a page (PhpMyAdmin) that was configured to be accessible only from localhost (in Apache2).
The error, as shown by $mysql --protocol=tcp -u root -p looks like
ERROR 1130 (HY000): Host '<host name of eth0>' is not allowed to connect to this MySQL server
However, the funny thing is, I configured the mysql server to allow root access from localhost (only). Moreover, the mysql server listens only on 127.0.0.1:3306, as shown by:
sudo netstat -npa | head
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 1029/mysqld
which means that the connection could have only come from 127.0.0.1
(Note that MySQL is working because I can still connect to it via unix domain sockets)
In effect, it seems that all tcp connections originating from 127.0.0.1 to 127.0.0.1 appear to any local daemon to come from the eth0 IP address. Indeed, apache2 allowed me to access PhpMyAdmin after I added allow <eth0 IP address>.
The following are my network configurations (redacted):
/etc/hosts:
127.0.0.1 localhost
211.x.x.x <host name of eth0> <server name>
#IPv6 Defaults follows ....
/etc/network/interfaces:
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 211.x.x.x
netmask 255.255.255.0
gateway 211.x.x.x
dns-nameservers 8.8.8.8
# dns-* options are implemented by the resolvconf package, if installed
dns-search xxxxxxx.com
hwaddress ether xx:xx:xx:xx:xx:xx
auto eth0:0
iface eth0:0 inet static
address 192.168.57.254
netmask 255.255.254.0
broadcast 192.168.57.255
network 192.168.57.0
/etc/ufw/sysctl.conf:
#Uncommented the following lines
net/ipv4/ip_forward=1
net/ipv6/conf/default/forwarding=1
/etc/default/ufw:
DEFAULT_FORWARD_POLICY="ACCEPT" #Changed DROP to ACCEPT
/etc/init/internet-sharing.conf (upstart script I wrote), section pre-start script:
iptables -A FORWARD -o eth0 -i eth0:0 -s 192.168.57.22 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A POSTROUTING -t nat -j MASQUERADE
Note again that my problem here is that programs cannot access localhost tcp services, from the server itself, and that access is blocked because the services have access control allowing only 127.0.0.1. I have no problem connecting (as in TCP connections) to services via tcp, even if the services listen only on 127.0.0.1. I do NOT want to connect to the services from another computer.
