But I also need to make sure that nobody is sniffing between Server-1 and Server-2. Steve
-----Original Message----- From: Mogens Melander [mailto:[EMAIL PROTECTED] Sent: Monday, May 07, 2007 1:35 PM To: Steven Buehler Cc: mysql@lists.mysql.com Subject: RE: secure port 3306 On Mon, May 7, 2007 17:40, Steven Buehler wrote: > The thing is...I need to securely do this. Here would be the setup > Desktop -> Secure connection to Server 1 -> Secure connection to Server 2. > So I am assuming that what I need to do is to have the Desktop SSH into > Server 1 which will have the iptables setup to tunnel to Server 2 and then > use a tunnel from Secure CRT (or putty) to tunnel all the way to Server 2 > through Server 1? Server one can only be accessed with SSH from Server 1. The only reason for the need for ssh-tunnel would be to eliminate the risk of somebody "sniffing" between desktop -> server-1. This iptables rule allow only access from one ip-address (desktop). > ------------ > On linux, one could do a port forward: > > EXTIF=eth0 # Or whatever the interface that faces internet is called. > > iptables -A FORWARD -i $EXTIF -p tcp -s <client-ip> --dport 3306 -j ACCEPT > iptables -A PREROUTING -t nat -p tcp -s <client-ip> \ > -d <linux-fw-ip> --dport 3306 -j DNAT --to <internal-ip>:3306 > > On Wed, May 2, 2007 17:03, Steven Buehler wrote: >> I have a client that needs to be able to remotely connect to port 3306 >> securely. I have tried to suggest an SSH Tunnel, but they do not want >> their clients to have SSH access. Another problem is that even if we >> do tunnel, it needs to go thru one server that is connected to the >> Internet and into the MySQL server which is NOT accessible from the >> Internet. >> >> Any suggestions? >> >> Thanks >> Steve >> >> >> -- >> MySQL General Mailing List >> For list archives: http://lists.mysql.com/mysql >> To unsubscribe: http://lists.mysql.com/mysql?unsub=1 >> >> >> -- >> This message has been scanned for viruses and dangerous content by >> OpenProtect(http://www.openprotect.com), and is believed to be clean. >> > > > -- > Later > > Mogens Melander > +45 40 85 71 38 > +66 870 133 224 > > > > -- > This message has been scanned for viruses and > dangerous content by OpenProtect(http://www.openprotect.com), and is > believed to be clean. > > > -- > MySQL General Mailing List > For list archives: http://lists.mysql.com/mysql > To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED] > > > -- > This message has been scanned for viruses and > dangerous content by OpenProtect(http://www.openprotect.com), and is > believed to be clean. > -- Later Mogens Melander +45 40 85 71 38 +66 870 133 224 -- This message has been scanned for viruses and dangerous content by OpenProtect(http://www.openprotect.com), and is believed to be clean. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED] -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
