TNS connection forward

Question

There are 3 machines as follows:

Machine A - Remote Exadata DB machine
Machine B - Remote machine from which only I can connect to port 1521 of Machine A
Machine C - Local Machine (To run SQL Developer and can't connect machineA directly)
Machine D - Bastion Server through which I connect to Machine B

Machine C can access service running in Machine B only using SSH tunnelling.

Is there any way I can access the Exadata DB from Machine A using SQL Developer running in Machine C?

I am trying this way:

ssh MachineD -L 15219:MachineB:15220 -L 15220:MachineA:1521 

which is not working.

Answer 1

You tried

ssh MachineD -L 15219:MachineB:15220 -L 15220:MachineA:1521 

this did not work but you think in the right direction, you want to join two tunnels.

login to MachineD and make a tunnel from your MachineB port 15219 to MachineB port 15220

ssh -L 15219:MachineD:15220 MachineD

So If you now send something to MachineC port 15219 then your ssh session (from MachineC to MachineD) sends it to MachineD port 15220

if you do a

tnsping  '(DESCRIPTION =(ADDRESS = (PROTOCOL = TCP)(HOST = MachineC)(PORT = 15219))(CONNECT_DATA = (SERVICE_NAME = ORCL)))'

you will get an error message

TNS-12541: TNS:no listener

or something similar, if you try to connect with SQL Developer.

Because if you now send something to MachineC port 15219 then your ssh session (from MachineC to MachineD) sends it to MachineD port 15220. And on MachineD port 15220 there is actually nobody listening.

Now in your ssh session on MachineD execute the following command

ssh -L 15220:MachineA:1521 MachineB

Now you have opened an ssh session from MachineC to MachineB and data sent to MachineD port 15220 is read by this second ssh session and sent to MachineA port 1521. So you have two ssh sessions and the second one extends the first one.

But instead of opening one ssh session and in this ssh session opneing the other one you can do this in one command

ssh -L 15219:MachineD:15220 MachineD ssh -L 15220:MachineA:1521 MachineB

by juxtaposing both commands. If after an ssh command follows another comman this command is executed after login. To avoid an error message like

Pseudo-terminal will not be allocated because stdin is not a terminal.

you can use the -T option for the second `ssh`` command.

ssh -L 15219:MachineD:15220 MachineD ssh -T -L 15220:MachineA:1521 MachineB

If you get some

bind: Address already in use
channel_setup_fwd_listener: cannot listen to port: 15220 

messages then change the adresses.

e.g. use 15221 instead of 15220. Of course you must replace it on both posisitions:

 ssh -L 15219:MachineD:15221 MachineD ssh -T -L 15221:MachineA:1521 MachineB

I hope this works. It is possible to configure the ssh daemons such that local forwarding is not allowed.

You cann concatenate an arbitrary number of tunnels .

I cannot test the -W option because I get

SSH-2.0-OpenSSH_5.3

Protocol mismatch.

Answer 2

You said it yourself: SSH tunneling.

On machine C:

ssh -L 12345:machineA:1521 machineB

Then use localhost:12345 in SQL Developer.

With the above, you log in to Machine B from Machine C using SSH, and create a tunnel to the listener port of Machine A through Machine B.