Ssh Port Forwarding

Home » CentOS » Ssh Port Forwarding
CentOS 7 Comments

Hello Everyone,

I am having a problem with setting up port forwarding from one of our local CentOS machines to an AWS EC2 instance. We are wanting to make mysql connections over an SSH tunnel.

In this case, lets say that hostA is our local machine, and hostB is the Amazon EC2 instance. I have tried several different variations (that I have found from google searching), including:
from hostA: SSH -L 22222:hostB:3306 user@hostB
from hostA: SSH -L 22222:localhost:3306 user@hostB
from hostA: SSH -L 22222:hostB:3306 user@localhost

No matter which variation I have tried, in every case, it will actually create an SSH connection to the hostB, and log me into hostB, giving me its prompt. If I try the port (22222) for the localhost (hostA) in another terminal window, it doesn’t allow the connection. netstat also doesn’t show port 22222 to be opened on the local machine (hostA).

I have turned on AllowTcpForwarding on both the remote machine and the local machine.

I have also made sure that port 22222 is opened on both machine firewalls (including the EC2 security group).

What am I doing incorrectly or missing?

7 thoughts on - Ssh Port Forwarding

  • At 18:20 12/07/2012, you wrote:

    Hi Doug,

    On HostA run the following within a screen session;

    ssh user@hostB -L 22222:127.0.0.1:3306

    Hope this helps.

    regards Tim Tim D’Cruz

  • Thanks for the feedback Tim.

    Using your string, I can now telnet to port 22222 on localhost (hostA) and I get the mysql connection string (from hostB), but it is not able to make a mysql connection (using mysql -u user -p -h localhost –port”222 from hostA), with a test user that I set up to allow connections from anywhere. The error that I am getting is:
    ERROR 2002 (HY000): Can’t connect to local MySQL server through socket
    ‘/var/lib/mysql/mysql.sock’ (2)

    I did test and the mysql test user that I created is able to connect from hostB.

    Why I can telnet to the port and get to mysql on hostB, but I can’t create the mysql connection to that port?

    Also, when I do this, it still opens up an SSH session, logging me into the remote machine, thus making it so I can’t use this terminal.

    The eventual goal is to do this in a script, that will open the connection, use it for the duration of the script, and then close it when the script finishes, but it looks like that won’t work, since it is logging me into the remote machine. I guess I could get around that by always leaving the screen session going with the connection, but I would prefer only creating the connection when I need it.

    Any ideas how to do this without leaving the connection open all the time?

  • Thanks. This worked. I have not ever run across this issue before, so I
    didn’t know that using localhost tied mysql to only a socket connection, but now I do.

  • At 19:15 12/07/2012, you wrote:

    Hi Doug,

    Glad I could help.

    Because the mysql connection is via an SSH tunnel, you need to ensure on the MySQL server hostB
    that is allows the mysql user access from 127.0.0.1 on hostB as that is effectively where the MySQL
    server on hostB sees the connection coming from.

    Yes you need to run it is a screen session if you want it permanently connected.

    I have used an expect script to do this in the past. Which allows you to remotely log in to a server. Downside is you need to store the password in plain text in the expect script. So make sure only root can read the script. Or setup a lower privilege user to use sudo and do it that way.

    regards Tim Tim D’Cruz

  • Doug,

    It’s also possible to send SSH to the background and also skip remote commands (perfect for tunneling).

    Options for SSH command:
    -f ………. background
    -N ……… skip remote commands

    ** Personally I’d look for a more robust tunnel/VPN alternative. **
    1) OpenSSH tun/tap devices – but this should really be used for a
    ‘one-off’ quick tunnel => requires root to establish, so it’s not ideal for every situation! (think roadwarriors, etc)
    2) OpenVPN – SSL VPN – software/application based – simpler to set up as a result
    3) OpenSWAN – IPSec VPN – hooks into the kernel (netkey or klips)

    —~~.~~-

  • Hello Mike, I think these were the options that I was missing. I was able to create the tunnel, and get my prompt back (so it will work within a script), without a screen session. Thanks for this tip.

    Trying to get this connection over SSH is just a short term solution. We will be setting up a vpn tunnel between the systems in the near future (but probably still 2-3 weeks out), but I was needing to get something else running before then. The SSH solution works for the short term, until we have an opportunity to get the vpn working.

    Thanks to every one for the assistance with this issue.

LEAVE A COMMENT