[TriLUG] seeking ssh tunnel advice

Tom Roche Tom_Roche at pobox.com
Fri Jan 11 23:06:34 EST 2008 

Advice on how to properly configure an ssh tunnel for the following
usecase is appreciated:

As mentioned in a long thread last month, I have a private network
setup as a testbed for 2 boxes running MySQL (et al). They are
currently (i.e. pre-deployment) behind a Netgear WGR614v6 router (with
latest firmware) doing DHCP, port-forwarding, and DDNS. (More on the
latter separately.) I currently have a setup like (names changed
hopefully for clarity):

netgear.dyndns.org=DDNS name for the router
192.168.0.11=stable IP# for MySQL box 1, hostname=box1
192.168.0.12=stable IP# for MySQL box 2, hostname=box2

box1 has OS account=os1 and MySQL account=mysql1
box2 has OS account=os2 and MySQL account=mysql2

router forwards   22 -> 192.168.0.12:22
                 3306 -> 192.168.0.12:3306 # to be deleted!
(note both forwards are to box2)

I believe both forwards work, because (from my laptop, outside the PN)
I can do

$ ssh os2 at netgear.dyndns.org
os2 at box2:~$ hostname
os2

(Note no password prompt: I have ssh-agent setup on the laptop.) By
contrast,

$ ssh os1 at netgear.dyndns.org

gets "Permission denied", and I get a reasonable response from

$ mysqladmin -h netgear.dyndns.org -u mysql2 version

but an error from

$ mysqladmin -h netgear.dyndns.org -u mysql1 version

However I *do not* want to forward 3306: I want to tunnel it over ssh,
and turn off that port-forward. Based on my reading, ISTM I should be
able to do

$ ssh -fNL 3306:192.168.0.12:3306 os2 at netgear.dyndns.org &
$ mysqladmin -h netgear.dyndns.org -u mysql2 version

and get the happy response. I believed (note past tense) the ssh
invocation above was correct because

* 3306 is the MySQL default port, and I haven't changed that

* 192.168.0.12 is the IP# which netgear.dyndns.org assigns to box2

* I can ssh to os2 at netgear.dyndns.org (see above)

However if in fact I utter

$ ssh -fNL 3306:192.168.0.12:3306 os2 at netgear.dyndns.org &
$ mysqladmin -h netgear.dyndns.org -u mysql2 version

*in the same shell*, I get

 > error: 'Can't connect to MySQL server on 'netgear.dyndns.org' (10061)'
 > Check that mysqld is running on netgear.dyndns.org and that the port 
is 3306.
 > You can check this by doing 'telnet netgear.dyndns.org 3306'

but if I turn on port-forwarding of 3306, and do

$ mysqladmin -h netgear.dyndns.org -u mysql2 version

*in the same shell*, I get the happy response. Therefore

$ ssh -fNL 3306:192.168.0.12:3306 os2 at netgear.dyndns.org

must be uttered incorrectly ... no?

Am I missing something? If not, what do I need to do to make the ssh
tunnel work?

TIA, Tom Roche <Tom_Roche at pobox.com>

More information about the TriLUG mailing list