Problem

Workstation 1 needs to connect to Database Server located at another part of the globe.

Prerequisites

• Workstation 1 and Workstation 2 are on the same network.
• Workstation 3 and Database Server are on the same network.
• Workstation 2 can connect to Workstation 3 via SSH.
• Port 4321 at mycompany.com is forwarded to port 22 of Workstation 3.
• Workstation 2 does not have a firewall which allows Workstation 1 to connect to it.
• Database Server allows connection from Workstation 3.

Solution

Create an SSH tunnel using Workstation 2 and Workstation 3 where Workstation 1 connection can pass through going to Database Server.

Steps:

1. Go to Workstation 2 and make sure it can connect to Workstation 3 by issuing the following commands:

[user1@Workstation2 ~] ssh user1@mycompany.com -p 4321
user1@mycompany.com's password:
Last login: Mon Feb 21 21:55:54 2011 from Workstation2
[user1@Workstation3 ~] exit
[user1@Workstation2 ~]

If you can do the above, then we are set to do tunneling.

2. Still on Workstation 2 issue the following command:

[user1@Workstation2 ~] ssh -f user1@mycompany.com -p 4321 -L 192.168.70.2:1234:192.168.50.2:3306 -N
user1@mycompany.com's password:
[user1@Workstation2 ~]

We will define each one of the parameters:

-f

This tells ssh to go to background just before command execution.

user1@mycompany.com

This defines your username and address of the remote computer.

-p 4321

This is the port in the firewall where in it is being forwarded to port 22 of Workstation 3. If your firewall is on Workstation 3, then this parameter can be omitted.

-L 192.168.70.2:1234:192.168.50.2:3306

This is where the magic happens. -L means you want a local (Workstation 2) port  to be forwarded to a remote host (Database Server) and port (3306) on the remote side (Workstation 3). Just to be clear, local side pertains to the computer network at Africa while remote side pertains to the computer network at South America.

The bunch of numbers after -L can be separated by colon(:) and here are their meanings:

192.168.70.2 is the address of the local computer (Workstation 2).

1234 is the port on the local computer (Workstation 2).

192.168.50.2 is the address of the remote computer (Database Server) on the remote side.

3306 is the port to access in the remote computer.

-N

This means that you cannot execute a command on the remote host since your are only tunneling data. This is basically for security.

Once you have issued the above command and entered your password, the ssh connection will go in the background. The tunnel is now created.

3. To use the tunnel, we go to Workstation 1 and execute mysql:

[user1@Workstation1 ~] mysql -h 192.168.70.2 -P 1234 -u dbuser -pdbpasswd dbname

That's all there is to it. Workstation 1 is now connected to Database Server.