Thank You so much. I will have to try this later today. I have
never done a port forward in iptables before. I knew that I could, but just
never had a need or tried so it slipped my mind about this.
The thing is...I need to securely do this. Here would be the setup
Desktop -> Secure connection to Server 1 -> Secure connection to Server 2.
So I am assuming that what I need to do is to have the Desktop SSH into
Server 1 which will have the iptables setup to tunnel to Server 2 and then
use a tunnel from Secure CRT (or putty) to tunnel all the way to Server 2
through Server 1? Server one can only be accessed with SSH from Server 1.

Again, Thank You.
Steve

------------
On linux, one could do a port forward:

EXTIF=eth0 # Or whatever the interface that faces internet is called.

iptables -A FORWARD -i $EXTIF -p tcp -s <client-ip> --dport 3306 -j ACCEPT
iptables -A PREROUTING -t nat -p tcp -s <client-ip> \
-d <linux-fw-ip> --dport 3306 -j DNAT --to <internal-ip>:3306

On Wed, May 2, 2007 17:03, Steven Buehler wrote:
> I have a client that needs to be able to remotely connect to port 3306
> securely. I have tried to suggest an SSH Tunnel, but they do not want
> their clients to have SSH access. Another problem is that even if we
> do tunnel, it needs to go thru one server that is connected to the
> Internet and into the MySQL server which is NOT accessible from the
> Internet.
>
> Any suggestions?
>
> Thanks
> Steve
>
>
> --
> MySQL General Mailing List
> For list archives: http://lists.mysql.com/mysql
> To unsubscribe: http://lists.mysql.com/mysql?unsub=1
>
>
> --
> This message has been scanned for viruses and dangerous content by
> OpenProtect(http://www.openprotect.com), and is believed to be clean.
>


--
Later

Mogens Melander
+45 40 85 71 38
+66 870 133 224



--
This message has been scanned for viruses and
dangerous content by OpenProtect(http://www.openprotect.com), and is
believed to be clean.

On 5/7/07, Steven Buehler <steve@ibushost.com> wrote:
>
> Thank You so much. I will have to try this later today. I have
> never done a port forward in iptables before. I knew that I could, but
> just
> never had a need or tried so it slipped my mind about this.
> The thing is...I need to securely do this. Here would be the
> setup
> Desktop -> Secure connection to Server 1 -> Secure connection to Server 2.
> So I am assuming that what I need to do is to have the Desktop SSH into
> Server 1 which will have the iptables setup to tunnel to Server 2 and then
> use a tunnel from Secure CRT (or putty) to tunnel all the way to Server 2
> through Server 1? Server one can only be accessed with SSH from Server 1.
>
> Again, Thank You.
> Steve



You can forward a port on your local computer, through server1 to server2
using ssh tunnelling.

ssh -L 3306:server2_ip_address:3306 user@server1.yourdomain.com


now you can point your sql client to localhost 3306 and it will then be
transported across your ssh session to server1. Once it gets to server1
then server1 will forward that traffic to server2 on port 3306.

putty, a well known windows based ssh client can do this under Connection >
SSH > Tunnels.

Source Port is the Port on the local machine that will be forwarded across
the ssh connection.
Destination is the IP:Port to where the tunneled traffic is delivered.
Choose "Local" as the type of tunnel and do not forget to click the "Add"
button to add the tunnel to the ssh connection you are configuring.

On Mon, May 7, 2007 17:40, Steven Buehler wrote:
> The thing is...I need to securely do this. Here would be the setup
> Desktop -> Secure connection to Server 1 -> Secure connection to Server 2.
> So I am assuming that what I need to do is to have the Desktop SSH into
> Server 1 which will have the iptables setup to tunnel to Server 2 and then
> use a tunnel from Secure CRT (or putty) to tunnel all the way to Server 2
> through Server 1? Server one can only be accessed with SSH from Server 1.

The only reason for the need for ssh-tunnel would be to eliminate the
risk of somebody "sniffing" between desktop -> server-1.

This iptables rule allow only access from one ip-address (desktop).

> ------------
> On linux, one could do a port forward:
>
> EXTIF=eth0 # Or whatever the interface that faces internet is called.
>
> iptables -A FORWARD -i $EXTIF -p tcp -s <client-ip> --dport 3306 -j ACCEPT
> iptables -A PREROUTING -t nat -p tcp -s <client-ip> \
> -d <linux-fw-ip> --dport 3306 -j DNAT --to <internal-ip>:3306
>
> On Wed, May 2, 2007 17:03, Steven Buehler wrote:
>> I have a client that needs to be able to remotely connect to port 3306
>> securely. I have tried to suggest an SSH Tunnel, but they do not want
>> their clients to have SSH access. Another problem is that even if we
>> do tunnel, it needs to go thru one server that is connected to the
>> Internet and into the MySQL server which is NOT accessible from the
>> Internet.
>>
>> Any suggestions?
>>
>> Thanks
>> Steve
>>
>>
>> --
>> MySQL General Mailing List
>> For list archives: http://lists.mysql.com/mysql
>> To unsubscribe: http://lists.mysql.com/mysql?unsub=1
>>
>>
>> --
>> This message has been scanned for viruses and dangerous content by
>> OpenProtect(http://www.openprotect.com), and is believed to be clean.
>>
>
>
> --
> Later
>
> Mogens Melander
> +45 40 85 71 38
> +66 870 133 224
>
>
>
> --
> This message has been scanned for viruses and
> dangerous content by OpenProtect(http://www.openprotect.com), and is
> believed to be clean.
>
>
> --
> MySQL General Mailing List
> For list archives: http://lists.mysql.com/mysql
> To unsubscribe: http://lists.mysql.com/mysql?unsub=mogens@fumlersoft.dk
>
>
> --
> This message has been scanned for viruses and
> dangerous content by OpenProtect(http://www.openprotect.com), and is
> believed to be clean.
>


--
Later

Mogens Melander
+45 40 85 71 38
+66 870 133 224



--
This message has been scanned for viruses and
dangerous content by OpenProtect(http://www.openprotect.com), and is
believed to be clean.

But I also need to make sure that nobody is sniffing between Server-1 and Server-2.
Steve


-----Original Message-----
From: Mogens Melander [mailto:mogens@fumlersoft.dk]
Sent: Monday, May 07, 2007 1:35 PM
To: Steven Buehler
Cc: mysql@lists.mysql.com
Subject: RE: secure port 3306


On Mon, May 7, 2007 17:40, Steven Buehler wrote:
> The thing is...I need to securely do this. Here would be the setup
> Desktop -> Secure connection to Server 1 -> Secure connection to Server 2.
> So I am assuming that what I need to do is to have the Desktop SSH into
> Server 1 which will have the iptables setup to tunnel to Server 2 and then
> use a tunnel from Secure CRT (or putty) to tunnel all the way to Server 2
> through Server 1? Server one can only be accessed with SSH from Server 1.

The only reason for the need for ssh-tunnel would be to eliminate the
risk of somebody "sniffing" between desktop -> server-1.

This iptables rule allow only access from one ip-address (desktop).

> ------------
> On linux, one could do a port forward:
>
> EXTIF=eth0 # Or whatever the interface that faces internet is called.
>
> iptables -A FORWARD -i $EXTIF -p tcp -s <client-ip> --dport 3306 -j ACCEPT
> iptables -A PREROUTING -t nat -p tcp -s <client-ip> \
> -d <linux-fw-ip> --dport 3306 -j DNAT --to <internal-ip>:3306
>
> On Wed, May 2, 2007 17:03, Steven Buehler wrote:
>> I have a client that needs to be able to remotely connect to port 3306
>> securely. I have tried to suggest an SSH Tunnel, but they do not want
>> their clients to have SSH access. Another problem is that even if we
>> do tunnel, it needs to go thru one server that is connected to the
>> Internet and into the MySQL server which is NOT accessible from the
>> Internet.
>>
>> Any suggestions?
>>
>> Thanks
>> Steve
>>
>>
>> --
>> MySQL General Mailing List
>> For list archives: http://lists.mysql.com/mysql
>> To unsubscribe: http://lists.mysql.com/mysql?unsub=1
>>
>>
>> --
>> This message has been scanned for viruses and dangerous content by
>> OpenProtect(http://www.openprotect.com), and is believed to be clean.
>>
>
>
> --
> Later
>
> Mogens Melander
> +45 40 85 71 38
> +66 870 133 224
>
>
>
> --
> This message has been scanned for viruses and
> dangerous content by OpenProtect(http://www.openprotect.com), and is
> believed to be clean.
>
>
> --
> MySQL General Mailing List
> For list archives: http://lists.mysql.com/mysql
> To unsubscribe: http://lists.mysql.com/mysql?unsub=mogens@fumlersoft.dk
>
>
> --
> This message has been scanned for viruses and
> dangerous content by OpenProtect(http://www.openprotect.com), and is
> believed to be clean.
>


--
Later

Mogens Melander
+45 40 85 71 38
+66 870 133 224



--
This message has been scanned for viruses and
dangerous content by OpenProtect(http://www.openprotect.com), and is
believed to be clean.


--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/mysql?unsub=steve@ibushost.com

Well, i that case you can forward the tunnel (port 22) directly
from server-1 to server-2, so when you tunnel from client to
server-1, you get forwarded to server-2.

On Mon, May 7, 2007 21:41, Steven Buehler wrote:
> But I also need to make sure that nobody is sniffing between Server-1 and
> Server-2.
> Steve
>
>
> -----Original Message-----
> From: Mogens Melander [mailto:mogens@fumlersoft.dk]
> Sent: Monday, May 07, 2007 1:35 PM
> To: Steven Buehler
> Cc: mysql@lists.mysql.com
> Subject: RE: secure port 3306
>
>
> On Mon, May 7, 2007 17:40, Steven Buehler wrote:
>> The thing is...I need to securely do this. Here would be the setup
>> Desktop -> Secure connection to Server 1 -> Secure connection to Server
>> 2.
>> So I am assuming that what I need to do is to have the Desktop SSH into
>> Server 1 which will have the iptables setup to tunnel to Server 2 and
>> then
>> use a tunnel from Secure CRT (or putty) to tunnel all the way to Server
>> 2
>> through Server 1? Server one can only be accessed with SSH from Server
>> 1.
>
> The only reason for the need for ssh-tunnel would be to eliminate the
> risk of somebody "sniffing" between desktop -> server-1.
>
> This iptables rule allow only access from one ip-address (desktop).
>
>> ------------
>> On linux, one could do a port forward:
>>
>> EXTIF=eth0 # Or whatever the interface that faces internet is called.
>>
>> iptables -A FORWARD -i $EXTIF -p tcp -s <client-ip> --dport 3306 -j
>> ACCEPT
>> iptables -A PREROUTING -t nat -p tcp -s <client-ip> \
>> -d <linux-fw-ip> --dport 3306 -j DNAT --to <internal-ip>:3306
>>
>> On Wed, May 2, 2007 17:03, Steven Buehler wrote:
>>> I have a client that needs to be able to remotely connect to port 3306
>>> securely. I have tried to suggest an SSH Tunnel, but they do not want
>>> their clients to have SSH access. Another problem is that even if we
>>> do tunnel, it needs to go thru one server that is connected to the
>>> Internet and into the MySQL server which is NOT accessible from the
>>> Internet.
>>>
>>> Any suggestions?
>>>
>>> Thanks
>>> Steve
>>>
>>>
>>> --
>>> MySQL General Mailing List
>>> For list archives: http://lists.mysql.com/mysql
>>> To unsubscribe: http://lists.mysql.com/mysql?unsub=1
>>>
>>>
>>> --
>>> This message has been scanned for viruses and dangerous content by
>>> OpenProtect(http://www.openprotect.com), and is believed to be clean.
>>>
>>
>>
>> --
>> Later
>>
>> Mogens Melander
>> +45 40 85 71 38
>> +66 870 133 224
>>
>>
>>
>> --
>> This message has been scanned for viruses and
>> dangerous content by OpenProtect(http://www.openprotect.com), and is
>> believed to be clean.
>>
>>
>> --
>> MySQL General Mailing List
>> For list archives: http://lists.mysql.com/mysql
>> To unsubscribe:
>> http://lists.mysql.com/mysql?unsub=mogens@fumlersoft.dk
>>
>>
>> --
>> This message has been scanned for viruses and
>> dangerous content by OpenProtect(http://www.openprotect.com), and is
>> believed to be clean.
>>
>
>
> --
> Later
>
> Mogens Melander
> +45 40 85 71 38
> +66 870 133 224
>
>
>
> --
> This message has been scanned for viruses and
> dangerous content by OpenProtect(http://www.openprotect.com), and is
> believed to be clean.
>
>
> --
> MySQL General Mailing List
> For list archives: http://lists.mysql.com/mysql
> To unsubscribe: http://lists.mysql.com/mysql?unsub=steve@ibushost.com
>
>
>
> --
> This message has been scanned for viruses and
> dangerous content by OpenProtect(http://www.openprotect.com), and is
> believed to be clean.
>
>


--
Later

Mogens Melander
+45 40 85 71 38
+66 870 133 224



--
This message has been scanned for viruses and
dangerous content by OpenProtect(http://www.openprotect.com), and is
believed to be clean.