I am attempting to use MySQL Workbench to tunnel into the server and connect to the db. Here is a mock setup mirroring what I have:

SSH Hostname example.com:2220
SSH Username: myuser
(supplying password)

MySQL Hostname: 127.0.0.1
MySQL Server Port: 3306
Username: root
(supplying password)

I have verified that SSH is reachable on port 2220, and that the hostname bind for MySQL is indeed 127.0.0.1. The MySQL server port is 3306 according to my.cnf. I get the error:

Failed to Connect to MySQL at 127.0.0.1:3306 through SSH tunnel example.com:2222 with user root

Lost connection to MySQL server at 'reading initial communication packet', system error: 0

The MySQL server is shut off to the outside world (port 3306 closed and using 127.0.0.1 as bind address), but Workbench should tunnel me in through SSH, and access it locally, right? Using local apps (i.e.: phpMyAdmin) works fine. I'm on Ubuntu 10.04 LTS and have tried the Linux and OS X Workbench clients. Any ideas?

ssh won't just forward any port. you need to explicitly setup the port forward in your ssh connection.

Actually, I have iptables dropping all in the FORWARD chain. Would this be causing the issue?

No, that has nothing to do with it. If you can ssh in and get a command line, then you have ssh opened up properly. Add a port forward in your ssh client.

Fixed it. I first tried using telnet to establish a connection to MySQL from the server itself (telnet 127.0.0.1 3306) but it never connected. I tried localhost and the private IP to no avail. Finally I just did this:

iptables -A INPUT -p tcp -s 127.0.0.1 --sport 1024:65535 -d 127.0.0.1 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 127.0.0.1 --sport 3306 -d 127.0.0.1 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

and now all is well. I can see MySQL with telnet, and Workbench connects just fine. Something to do with running mysql_secure_installation maybe?

A port forward on the server's SSH client? That would be a lot more graceful than what I did...

On Linux you can easily do that with the -L switch. You can bind your local port 3306 to the servers port 3306 with the following command:

ssh foo@bar -L 3306:localhost:3306

When the connection is up all you have to do is connect MySQL Workbench to localhost 3306.

MySQL Workbench handles all of the ssh tunneling itself; there's no need to start up another ssh client... it wouldn't have done any good anyway, since iptables was dropping the traffic.

You probably want to allow all traffic across the loopback interface (lo), otherwise random stuff (like this ) will break.

_________________

/* TODO: need to add signature to posts */

Very true. I was troubleshooting Cacti for an hour before I connected the dots. Thanks for the help everyone.

Sorry for reviving this old thread.

I'm getting stuck in the same point as you, though I haven't tried your solution because I still don't get very well the purpose of those rules. Also, with the last comment from trevorparker, I feel it isn't such a good idea, isn't it?