This took a bit of head-scratching, so for future reference, or anyone else looking:
Say I am working outside the office firewall, on a machine called home, and I need to get into a MySQL server inside it. (Doesn’t have to be MySQL, but just for argument’s sake.)
There’s a machine called gateway I can ssh to and tunnel through, but for security reasons, the database server mysql doesn’t accept connections from gateway directly. But my desktop machine at the office (err… desktop) can connect to mysql.
One way round it is to ssh from home to gateway and forward a port on gateway to the ssh server on desktop:
home $ ssh -L 2222:desktop.example.org:22 -tAY gateway.example.org
And then in another terminal, ssh from home to desktop via this tunnel, forwarding another port on home to the incoming connections port on mysql (3306 in MySQL’s case usually):
home $ ssh -p 2222 -L 23306:mysql.example.org:3306 127.0.0.1
This time, you’re connecting to home port 2222, but because of the first command, this forwards you straight to desktop port 22.
Now both tunnels are in place, you can just connect to port 23306 on home and arrive by magic at mysql. In another terminal (or from your MySQL GUI):
home $ mysql -uUSER -pPASS -h127.0.0.1 -P23306
This example shows a tunnel-within-a-tunnel. There should be a way to make this work using end-to-end tunnelling instead, I tried but didn’t get anywhere. But that might be due to ssh server restrictions on our equivalent of gateway.
If none of this means anything, there’s an intro to ssh port forwarding here.
Post a Comment