I'm working with Ubuntu 14.04. I'm trying to set up some inbound connections to MySQL. I need the local MySQL port to stay at 3306. Remote users, however, should connect to port 33000, and connections should be limited by IP whitelist.
Using "-j REDIRECT" or "-j DNAT" is not working. My tests show that is because the default policy on INPUT is DROP, and I have no rule to ACCEPT on --dport 3306. I do not want to light up port 3306, whitelist or not.
What rule can I create to ACCEPT a packet destined for an arbitrary port (e.g., 33000), only if originating from an acceptable IP, and mangle it to send it to the proper local destination port, all without opening the local destination port?