I want to protect my MySQL Server from portscanners/probes. So my idea is to put the external port on let's say 36636, internal port has to stay at the default 3306 for compatibility with local apps.
A MySQL client connects to mysql.hostname.tld:36636 and should then be forwarded to 3306 by iptables. But I just can't get it to work. Here my redirect-rule:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 36636 -j REDIRECT --to-port 3306
I activated extensive logging in iptables and in MySQL, I'm pretty sure the packets go trough the firewall, but then they "disappear", they don't seem to reach MySQL. Of course I also opened a port 36636 in iptables.