I'm trying to configure an SSH tunnel to bypass the mysql calls over a remote DB (remote_mysql_server) by a host that has access to it (remote_host), but I don't know what's the difference between (notice the colon : before the local port):
> ssh -f username#remote_host -L 3306:remote_mysql_server:3306 -N
> lsof -i :3306
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
ssh 16797 vagrant 4u IPv6 31697 0t0 TCP localhost:mysql (LISTEN)
ssh 16797 vagrant 5u IPv4 31698 0t0 TCP development:mysql (LISTEN)
and
> ssh -f username#remote_host -L :3306:remote_mysql_server:3306 -N
> lsof -i :3306
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
ssh 16805 vagrant 4u IPv6 31697 0t0 TCP *:mysql (LISTEN)
ssh 16805 vagrant 5u IPv4 31698 0t0 TCP *:mysql (LISTEN)
Both of them work for me to execute the mysql -h 127.0.0.1 -u dbusername -pPasswordDB database.
The format of -L option is:
-L [bind_address:]port:host:hostport
The bind_address: part is optional and if it is missing the tunnel binds to localhost only (the default behavior can be changed using GatewayPorts option in ssh configuration). But if you specify it, it binds to what you specify or to all interfaces if you use empty bind_address or *.
Related
I'm trying to open tcp and udp port 7774 on google cloud VM instance without results.
I'm sure that my server is using this network. For example, the ssh port is opened, rdp port also should be opened but i can't communicate with the server on this port, the same situation is with 7774 port, i have to setup something which needs this port to communicate, but i don't know how.
I also added rules to iptables:
iptables -A INPUT -p tcp -d 0/0 -s 0/0 --dport 7774 -j ACCEPT
iptables -A INPUT -p udp -d 0/0 -s 0/0 --dport 7774 -j ACCEPT
Without any results.
I'm trying to make MySQL available by 2 ports: 3306 and 3339
I added rule to iptables:
iptables -t nat -A PREROUTING -i bond0 -p tcp --dport 3339 -j REDIRECT
--to-port 3306
and everythin is great for remote connections.
But if I'm trying to connect it locally, I'm getting an error:
mysql -u username -ppassword --port=3339 -h Host.Name
ERROR 2003 (HY000): Can't connect to MySQL server on 'Host.Name' (111)
Any ideas how can I edit iptables to get local access via 3339 port?
Since PREROUTING isn't used by the loopback interface we have to add one more rule:
iptables -t nat -I OUTPUT -p tcp -o lo --dport 3339 -j REDIRECT --to-ports 3306
Recently I've managed to block all unused ports on my dedicated server (Linux CentOS latest 64-bit) but whenever I do so, sites that connect to my database just simply cannot connect.
iptables -A INPUT -i lo -p tcp --dport 3306 -j ACCEPT
iptables -A OUTPUT -o lo -p tcp --sport 3306 -j ACCEPT
I believe it has something to do with the OUTPUT port, but I am not sure.
Thanks.
If you want to allow remote incoming mysql connections you will need to define an INPUT rule that is not isolated to your local interface:
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
In Centos this will be defined in the /etc/sysconfig/iptables file. Then restart:
sudo service iptables restart
Alternatively, from the command line, you can use:
sudo system-config-firewall-tui
To configure your firewall, it is in the package of the same name:
sudo yum install system-config-firewall-tui -y
How to configure two different port for MySQL on same machine? I know that default port is 3306. But I also want to configure 3307 and 3308. Is it possible?
One bonus question with current one ;)
Can we assign Different Ports to Different Databases and also can assign/create Credentials respectively?
You can use the --port=port_num option. Have a look here for more information on how to configure multiple mysql instances.
You can launch several instance of mysql :
mysqld_safe --defaults-file=/path/to/my.cnf1
mysqld_safe --defaults-file=/path/to/my.cnf2
mysqld_safe --defaults-file=/path/to/my.cnf3
and change the port parameter in the [mysqld] section of each my.cnf.
If you want to have only one mysqld process/database you can use port redirection (with linux) :
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3307 -j REDIRECT --to-port 3306
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3308 -j REDIRECT --to-port 3306
You can copy /etc/mysql/my.cnf, change the port in it and change the pathes to data dirs as well, because i'm pretty sure You can't have more than 1 instance of mysql serving from the same directories.
Check http://dev.mysql.com/doc/refman/5.1/en/multiple-servers.html.
ex :
cp /etc/mysql/my.cnf /etc/mysql/my-3307.cnf
//edit my-3307.cnf, for example
port = 3307
basedir = /var/lib/mysql-3307
datadir = /var/lib/mysql-3307
//end-edit
mysql_upgrade --defaults-file=/etc/mysql/my-3307.cnf #checks the syntax and creates the dirs you need.
#start mysqld
mysqld --defaults-file=/etc/mysql/my-3307.cnf
mysqld_multi is by far the best way to handle different instances of mysql.
Some more useful tips:
mysqld_multi --example
check if apparmor isn't keeping mysql from accessing /var/lib/mysql2 if you get weird permission errors.
I'm using CentOS.
Not is too simple,
Edit file /etc/my.cnf, Search and change or add line: port=port_number.
semanage port -a -t mysqld_port_t -p tcp port_number
Restart MySQL Server. service mysqld restart
I want to whitelist 2 external ip-adresses vor port 3306 (mysql), but block all other IP-adresses to the port 3306 on a debian server running a mysql-instance. Both external ip-adresses should be able to connect to the mysql-server.
What is the best way in iptables?
What i did:
/sbin/iptables -A INPUT -p tcp -d 127.0.0.1 --dport 3306 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -d 1.1.1.1.1 --dport 3306 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -d 85.x.x.x --dport 3306 -j ACCEPT
(1.1.1.1 is an internal ip and masked here for security purposes)
## Block all connections to 3306 ##
/sbin/iptables -A INPUT -p tcp --dport 3306 -j DROP
What happened:
every external ip is locked and can't connect
What should happen:
every external ip will be locked cand can't connect but not 1.1.1.1 and 85.x.x.x and 127.0.0.1
iptables -N mysql # create chain for mysql
iptables -A mysql --src 127.0.0.1 -j ACCEPT
iptables -A mysql --src 1.1.1.1.1 -j ACCEPT
iptables -A mysql --src 85.x.x.x -j ACCEPT
iptables -A mysql -j DROP # drop packets from other hosts
iptables -I INPUT -m tcp -p tcp --dport 3306 -j mysql # use chain for packets to MySQL port