Ssh – forward port 3306 from firewalled machine to desktop using SSH

debian-lennylinux-networkingport-forwardingsshssh-tunnel

Here's the network setup:

Machine A (my PC) SSH 22 => Machine B (Linode with root access) SSH 21343 => Machine C (MySQL server).

I want to forward port 3306 from C through B to A, so I can use SQL Workbench on A to execute commands on C.

Note that C is only accessible over SSH port 21343 and only from B (we cannot change the firewall on C to open any more ports, but we can change its SSH settings).

Is this possible? I've read about tunnels and ProxyCommand. But I need a simple step-by-step example.

All machines are debian Lenny.

Best Answer

On the machine A:

ssh -L 3307:C:3306 user@B

This allocated a socket listen to port 3307 on A. And whenever a connection is made to this port, it is forwarded over ssh tunnel to C:3306.

You can then connect to MySQL server on C with:

mysql -u <user> -p -h 127.0.0.1 -P 3307

(127.0.0.1 to connect via TCP/IP instead of a socket)

No, I cannot connect to MySQL on C from B. Only SSH listening on 21343 is open to B.

If the firewall on C only allow to connect from localhost, something like this:

iptables -A INPUT -p tcp -s 127.0.0.1 --dport 3306 -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j DROP

so, AFAIK, there is no way to do this. If you try to connect over ssh tunnel, you will get the below errors:

ERROR 2013 (HY000): Lost connection to MySQL server at 'reading initial communication packet', system error: 0

Related Solutions

Ssh – Forwarding port 3306 on Mac OS X in order to connect to a remote MySQL Database

This should work:

ssh -L 3310:127.0.0.1:3306 user@server

The first port number is the local port to use (must not be in use already), the IP in between the colons is the IP to connect to, from the perspective of the host you are sshing into. The second port number is the port to connect to. If you are connecting to a server other than the one you are sshing into, then try the following:

ssh -L 3310:<remote-IP>:3306 user@server

Usually, when I want to do this more than one time, I create an entry in ~/.ssh/config like the following where sshhost.example.com is the server I am sshing to, the local port I want to open is 5910, the IP on the other side I want to connect to is 192.168.35.69, and the port I want to connect to there is 5900:

Host desk
    Hostname sshhost.example.com
    User jed
    Port 22
    LocalForward 5910 192.168.35.69:5900

Then from a command prompt I can just do

jed@jed-mbp:~$ ssh desk

and get a tunnel to my desktop at the office.

Good luck,

--jed

Mysql – Tunnel to MySql via workbench not working when regular ssh tunnel works

You're doing your ssh forwarding backwards, i.e. you're forwarding local port 3306 to 33187, use -R localhost:33187:server.domain.com:3306. For the workbench use MySQL Server Port 3306 and MySQL Hostname: localhost

What specifically is the error you're getting, I'm having a problem myself using a custom ssh port, i.e. SSH Hostname server.mydomain.com:13711 the workbench for whatever reason doesn't actually attempt a connection (verified by watching the logs)

Best Answer

Related Solutions

Ssh – Forwarding port 3306 on Mac OS X in order to connect to a remote MySQL Database

Mysql – Tunnel to MySql via workbench not working when regular ssh tunnel works

Related Topic