Well, i that case you can forward the tunnel (port 22) directly from server-1 to server-2, so when you tunnel from client to server-1, you get forwarded to server-2.
On Mon, May 7, 2007 21:41, Steven Buehler wrote: > But I also need to make sure that nobody is sniffing between Server-1 and > Server-2. > Steve > > > -----Original Message----- > From: Mogens Melander [mailto:[EMAIL PROTECTED] > Sent: Monday, May 07, 2007 1:35 PM > To: Steven Buehler > Cc: mysql@lists.mysql.com > Subject: RE: secure port 3306 > > > On Mon, May 7, 2007 17:40, Steven Buehler wrote: >> The thing is...I need to securely do this. Here would be the setup >> Desktop -> Secure connection to Server 1 -> Secure connection to Server >> 2. >> So I am assuming that what I need to do is to have the Desktop SSH into >> Server 1 which will have the iptables setup to tunnel to Server 2 and >> then >> use a tunnel from Secure CRT (or putty) to tunnel all the way to Server >> 2 >> through Server 1? Server one can only be accessed with SSH from Server >> 1. > > The only reason for the need for ssh-tunnel would be to eliminate the > risk of somebody "sniffing" between desktop -> server-1. > > This iptables rule allow only access from one ip-address (desktop). > >> ------------ >> On linux, one could do a port forward: >> >> EXTIF=eth0 # Or whatever the interface that faces internet is called. >> >> iptables -A FORWARD -i $EXTIF -p tcp -s <client-ip> --dport 3306 -j >> ACCEPT >> iptables -A PREROUTING -t nat -p tcp -s <client-ip> \ >> -d <linux-fw-ip> --dport 3306 -j DNAT --to <internal-ip>:3306 >> >> On Wed, May 2, 2007 17:03, Steven Buehler wrote: >>> I have a client that needs to be able to remotely connect to port 3306 >>> securely. I have tried to suggest an SSH Tunnel, but they do not want >>> their clients to have SSH access. Another problem is that even if we >>> do tunnel, it needs to go thru one server that is connected to the >>> Internet and into the MySQL server which is NOT accessible from the >>> Internet. >>> >>> Any suggestions? >>> >>> Thanks >>> Steve >>> >>> >>> -- >>> MySQL General Mailing List >>> For list archives: http://lists.mysql.com/mysql >>> To unsubscribe: http://lists.mysql.com/mysql?unsub=1 >>> >>> >>> -- >>> This message has been scanned for viruses and dangerous content by >>> OpenProtect(http://www.openprotect.com), and is believed to be clean. >>> >> >> >> -- >> Later >> >> Mogens Melander >> +45 40 85 71 38 >> +66 870 133 224 >> >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by OpenProtect(http://www.openprotect.com), and is >> believed to be clean. >> >> >> -- >> MySQL General Mailing List >> For list archives: http://lists.mysql.com/mysql >> To unsubscribe: >> http://lists.mysql.com/[EMAIL PROTECTED] >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by OpenProtect(http://www.openprotect.com), and is >> believed to be clean. >> > > > -- > Later > > Mogens Melander > +45 40 85 71 38 > +66 870 133 224 > > > > -- > This message has been scanned for viruses and > dangerous content by OpenProtect(http://www.openprotect.com), and is > believed to be clean. > > > -- > MySQL General Mailing List > For list archives: http://lists.mysql.com/mysql > To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED] > > > > -- > This message has been scanned for viruses and > dangerous content by OpenProtect(http://www.openprotect.com), and is > believed to be clean. > > -- Later Mogens Melander +45 40 85 71 38 +66 870 133 224 -- This message has been scanned for viruses and dangerous content by OpenProtect(http://www.openprotect.com), and is believed to be clean. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
