Since I've been searching for about a week and playing around with IPTables with no success, and I've seen this asked a number of times, could I get a write on how to do this:

I need to be able to have a port, such as 3306, pass the external public IP and not the internal IP address. I know HTTP and HTTPS do this for the INSSL, but I'm unable to duplicate this for any other IP Address. Due to the architecture of our system and we need Servers in separate data centers to access our main MySQL DB, I can't setup MySQL permissions based on the external IP Addresses.

I know how to branch a component, but if someone could show me what I need to change/add to my scripts in /appliance dir that would be great.

Justin,

There is currently no way to pass the original IP address further than the gateway (more precisely, to any appliance that doesn't have an external interface). -- But please read below as there is a simple solution to what you are trying to do.

The reason http/https can do it is because the INSSL gateway inserts html header fields (commonly used by things like load balancers -- pretty standard even outside of AppLogic / clouds); the apache in WEBxxx appliances has a small module that recovers the original IP address from the header field and passes it on to all kinds of application logic (php, cgi, other apache modules, etc.).

If you are OK with branching the appliance, there is an easy way to deal with this issue. Essentially, you will add a new input terminal (e.g., "adm" for admin), which can also receive database queries. Then, you will be able to assign different levels of permissions to requests coming from the "in" terminal vs the "adm" terminal. You can control what traffic you will allow to the adm terminal, leaving the IP address filtering to the boundary (ingress) of the application.

Here's how:
- branch the database server appliance
- add a new input terminal, adm, to the database appliance; verify that MySQL is configured to listen both on "in" and "adm" for requests ("in" and "adm" resolve as host names to the IP addresses of the respective terminal interfaces on the databas e appliance)
- upon startup, configure the database access rights to match those addresses with the respective access rights (or, if it cannot be configured based on the local interface, then use the connected terminal's IP address -- which is available in several descriptors, most likely in /etc/applogic/appliance.desc)
- have all admin traffic come through a separate IN gateway (or even consider using a VPN -- we'll be making a VPN gateway available; currently available as a preview); you can restrict the allowed_hosts on that gateway to the IP addresses you need to authorize with the higher level of access.

Can this work for your case?


Best regards,
-- Peter