RE: secure port 3306
Thank You so much. I will have to try this later today. I have never done a port forward in iptables before. I knew that I could, but just never had a need or tried so it slipped my mind about this. The thing is...I need to securely do this. Here would be the setup Desktop - Secure connection to Server 1 - Secure connection to Server 2. So I am assuming that what I need to do is to have the Desktop SSH into Server 1 which will have the iptables setup to tunnel to Server 2 and then use a tunnel from Secure CRT (or putty) to tunnel all the way to Server 2 through Server 1? Server one can only be accessed with SSH from Server 1. Again, Thank You. Steve On linux, one could do a port forward: EXTIF=eth0 # Or whatever the interface that faces internet is called. iptables -A FORWARD -i $EXTIF -p tcp -s client-ip --dport 3306 -j ACCEPT iptables -A PREROUTING -t nat -p tcp -s client-ip \ -d linux-fw-ip --dport 3306 -j DNAT --to internal-ip:3306 On Wed, May 2, 2007 17:03, Steven Buehler wrote: I have a client that needs to be able to remotely connect to port 3306 securely. I have tried to suggest an SSH Tunnel, but they do not want their clients to have SSH access. Another problem is that even if we do tunnel, it needs to go thru one server that is connected to the Internet and into the MySQL server which is NOT accessible from the Internet. Any suggestions? Thanks Steve -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=1 -- This message has been scanned for viruses and dangerous content by OpenProtect(http://www.openprotect.com), and is believed to be clean. -- Later Mogens Melander +45 40 85 71 38 +66 870 133 224 -- This message has been scanned for viruses and dangerous content by OpenProtect(http://www.openprotect.com), and is believed to be clean. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: secure port 3306
On 5/7/07, Steven Buehler [EMAIL PROTECTED] wrote: Thank You so much. I will have to try this later today. I have never done a port forward in iptables before. I knew that I could, but just never had a need or tried so it slipped my mind about this. The thing is...I need to securely do this. Here would be the setup Desktop - Secure connection to Server 1 - Secure connection to Server 2. So I am assuming that what I need to do is to have the Desktop SSH into Server 1 which will have the iptables setup to tunnel to Server 2 and then use a tunnel from Secure CRT (or putty) to tunnel all the way to Server 2 through Server 1? Server one can only be accessed with SSH from Server 1. Again, Thank You. Steve You can forward a port on your local computer, through server1 to server2 using ssh tunnelling. ssh -L 3306:server2_ip_address:3306 [EMAIL PROTECTED] now you can point your sql client to localhost 3306 and it will then be transported across your ssh session to server1. Once it gets to server1 then server1 will forward that traffic to server2 on port 3306. putty, a well known windows based ssh client can do this under Connection SSH Tunnels. Source Port is the Port on the local machine that will be forwarded across the ssh connection. Destination is the IP:Port to where the tunneled traffic is delivered. Choose Local as the type of tunnel and do not forget to click the Add button to add the tunnel to the ssh connection you are configuring.
RE: secure port 3306
On Mon, May 7, 2007 17:40, Steven Buehler wrote: The thing is...I need to securely do this. Here would be the setup Desktop - Secure connection to Server 1 - Secure connection to Server 2. So I am assuming that what I need to do is to have the Desktop SSH into Server 1 which will have the iptables setup to tunnel to Server 2 and then use a tunnel from Secure CRT (or putty) to tunnel all the way to Server 2 through Server 1? Server one can only be accessed with SSH from Server 1. The only reason for the need for ssh-tunnel would be to eliminate the risk of somebody sniffing between desktop - server-1. This iptables rule allow only access from one ip-address (desktop). On linux, one could do a port forward: EXTIF=eth0 # Or whatever the interface that faces internet is called. iptables -A FORWARD -i $EXTIF -p tcp -s client-ip --dport 3306 -j ACCEPT iptables -A PREROUTING -t nat -p tcp -s client-ip \ -d linux-fw-ip --dport 3306 -j DNAT --to internal-ip:3306 On Wed, May 2, 2007 17:03, Steven Buehler wrote: I have a client that needs to be able to remotely connect to port 3306 securely. I have tried to suggest an SSH Tunnel, but they do not want their clients to have SSH access. Another problem is that even if we do tunnel, it needs to go thru one server that is connected to the Internet and into the MySQL server which is NOT accessible from the Internet. Any suggestions? Thanks Steve -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=1 -- This message has been scanned for viruses and dangerous content by OpenProtect(http://www.openprotect.com), and is believed to be clean. -- Later Mogens Melander +45 40 85 71 38 +66 870 133 224 -- This message has been scanned for viruses and dangerous content by OpenProtect(http://www.openprotect.com), and is believed to be clean. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by OpenProtect(http://www.openprotect.com), and is believed to be clean. -- Later Mogens Melander +45 40 85 71 38 +66 870 133 224 -- This message has been scanned for viruses and dangerous content by OpenProtect(http://www.openprotect.com), and is believed to be clean. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
RE: secure port 3306
But I also need to make sure that nobody is sniffing between Server-1 and Server-2. Steve -Original Message- From: Mogens Melander [mailto:[EMAIL PROTECTED] Sent: Monday, May 07, 2007 1:35 PM To: Steven Buehler Cc: mysql@lists.mysql.com Subject: RE: secure port 3306 On Mon, May 7, 2007 17:40, Steven Buehler wrote: The thing is...I need to securely do this. Here would be the setup Desktop - Secure connection to Server 1 - Secure connection to Server 2. So I am assuming that what I need to do is to have the Desktop SSH into Server 1 which will have the iptables setup to tunnel to Server 2 and then use a tunnel from Secure CRT (or putty) to tunnel all the way to Server 2 through Server 1? Server one can only be accessed with SSH from Server 1. The only reason for the need for ssh-tunnel would be to eliminate the risk of somebody sniffing between desktop - server-1. This iptables rule allow only access from one ip-address (desktop). On linux, one could do a port forward: EXTIF=eth0 # Or whatever the interface that faces internet is called. iptables -A FORWARD -i $EXTIF -p tcp -s client-ip --dport 3306 -j ACCEPT iptables -A PREROUTING -t nat -p tcp -s client-ip \ -d linux-fw-ip --dport 3306 -j DNAT --to internal-ip:3306 On Wed, May 2, 2007 17:03, Steven Buehler wrote: I have a client that needs to be able to remotely connect to port 3306 securely. I have tried to suggest an SSH Tunnel, but they do not want their clients to have SSH access. Another problem is that even if we do tunnel, it needs to go thru one server that is connected to the Internet and into the MySQL server which is NOT accessible from the Internet. Any suggestions? Thanks Steve -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=1 -- This message has been scanned for viruses and dangerous content by OpenProtect(http://www.openprotect.com), and is believed to be clean. -- Later Mogens Melander +45 40 85 71 38 +66 870 133 224 -- This message has been scanned for viruses and dangerous content by OpenProtect(http://www.openprotect.com), and is believed to be clean. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by OpenProtect(http://www.openprotect.com), and is believed to be clean. -- Later Mogens Melander +45 40 85 71 38 +66 870 133 224 -- This message has been scanned for viruses and dangerous content by OpenProtect(http://www.openprotect.com), and is believed to be clean. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED] -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
RE: secure port 3306
Well, i that case you can forward the tunnel (port 22) directly from server-1 to server-2, so when you tunnel from client to server-1, you get forwarded to server-2. On Mon, May 7, 2007 21:41, Steven Buehler wrote: But I also need to make sure that nobody is sniffing between Server-1 and Server-2. Steve -Original Message- From: Mogens Melander [mailto:[EMAIL PROTECTED] Sent: Monday, May 07, 2007 1:35 PM To: Steven Buehler Cc: mysql@lists.mysql.com Subject: RE: secure port 3306 On Mon, May 7, 2007 17:40, Steven Buehler wrote: The thing is...I need to securely do this. Here would be the setup Desktop - Secure connection to Server 1 - Secure connection to Server 2. So I am assuming that what I need to do is to have the Desktop SSH into Server 1 which will have the iptables setup to tunnel to Server 2 and then use a tunnel from Secure CRT (or putty) to tunnel all the way to Server 2 through Server 1? Server one can only be accessed with SSH from Server 1. The only reason for the need for ssh-tunnel would be to eliminate the risk of somebody sniffing between desktop - server-1. This iptables rule allow only access from one ip-address (desktop). On linux, one could do a port forward: EXTIF=eth0 # Or whatever the interface that faces internet is called. iptables -A FORWARD -i $EXTIF -p tcp -s client-ip --dport 3306 -j ACCEPT iptables -A PREROUTING -t nat -p tcp -s client-ip \ -d linux-fw-ip --dport 3306 -j DNAT --to internal-ip:3306 On Wed, May 2, 2007 17:03, Steven Buehler wrote: I have a client that needs to be able to remotely connect to port 3306 securely. I have tried to suggest an SSH Tunnel, but they do not want their clients to have SSH access. Another problem is that even if we do tunnel, it needs to go thru one server that is connected to the Internet and into the MySQL server which is NOT accessible from the Internet. Any suggestions? Thanks Steve -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=1 -- This message has been scanned for viruses and dangerous content by OpenProtect(http://www.openprotect.com), and is believed to be clean. -- Later Mogens Melander +45 40 85 71 38 +66 870 133 224 -- This message has been scanned for viruses and dangerous content by OpenProtect(http://www.openprotect.com), and is believed to be clean. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by OpenProtect(http://www.openprotect.com), and is believed to be clean. -- Later Mogens Melander +45 40 85 71 38 +66 870 133 224 -- This message has been scanned for viruses and dangerous content by OpenProtect(http://www.openprotect.com), and is believed to be clean. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by OpenProtect(http://www.openprotect.com), and is believed to be clean. -- Later Mogens Melander +45 40 85 71 38 +66 870 133 224 -- This message has been scanned for viruses and dangerous content by OpenProtect(http://www.openprotect.com), and is believed to be clean. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
RE: secure port 3306
Thank You so much. I will have to try this later today. I have never done a port forward in iptables before. I knew that I could, but just never had a need or tried so it slipped my mind about this. Again, Thank You. Steve On linux, one could do a port forward: EXTIF=eth0 # Or whatever the interface that faces internet is called. iptables -A FORWARD -i $EXTIF -p tcp -s client-ip --dport 3306 -j ACCEPT iptables -A PREROUTING -t nat -p tcp -s client-ip \ -d linux-fw-ip --dport 3306 -j DNAT --to internal-ip:3306 On Wed, May 2, 2007 17:03, Steven Buehler wrote: I have a client that needs to be able to remotely connect to port 3306 securely. I have tried to suggest an SSH Tunnel, but they do not want their clients to have SSH access. Another problem is that even if we do tunnel, it needs to go thru one server that is connected to the Internet and into the MySQL server which is NOT accessible from the Internet. Any suggestions? Thanks Steve -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=1 -- This message has been scanned for viruses and dangerous content by OpenProtect(http://www.openprotect.com), and is believed to be clean. -- Later Mogens Melander +45 40 85 71 38 +66 870 133 224 -- This message has been scanned for viruses and dangerous content by OpenProtect(http://www.openprotect.com), and is believed to be clean. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
RE: secure port 3306
[snip] I have a client that needs to be able to remotely connect to port 3306 securely. I have tried to suggest an SSH Tunnel, but they do not want their clients to have SSH access. Another problem is that even if we do tunnel, it needs to go thru one server that is connected to the Internet and into the MySQL server which is NOT accessible from the Internet. Any suggestions? [/snip] IPSec tunnel -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: secure port 3306
On linux, one could do a port forward: EXTIF=eth0 # Or whatever the interface that faces internet is called. iptables -A FORWARD -i $EXTIF -p tcp -s client-ip --dport 3306 -j ACCEPT iptables -A PREROUTING -t nat -p tcp -s client-ip \ -d linux-fw-ip --dport 3306 -j DNAT --to internal-ip:3306 On Wed, May 2, 2007 17:03, Steven Buehler wrote: I have a client that needs to be able to remotely connect to port 3306 securely. I have tried to suggest an SSH Tunnel, but they do not want their clients to have SSH access. Another problem is that even if we do tunnel, it needs to go thru one server that is connected to the Internet and into the MySQL server which is NOT accessible from the Internet. Any suggestions? Thanks Steve -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by OpenProtect(http://www.openprotect.com), and is believed to be clean. -- Later Mogens Melander +45 40 85 71 38 +66 870 133 224 -- This message has been scanned for viruses and dangerous content by OpenProtect(http://www.openprotect.com), and is believed to be clean. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]