0

We have existing SQL Connection strings like "tcp:aws.server.address,1433".

We can no longer connect to aws.server.address directly, and instead have to go through a jump server.

WITHOUT MODIFYING THE CONNECTION STRING, what do I have to do in Windows to make sure traffic targetting aws.server.address on port 1433 is actually forced to go through the local port (i.e. 5001) established through an SSH tunnel like this:

ssh -L 5001:aws.serveraddress:1433 [email protected]

I though I could just use netsh interface portproxy with a listenaddress,listenport equal to aws.server.address,1433 with a connectaddress,connectport of 127.0.0.1,5001, but that doesn't seem to work. It does not "listen" for connections targetting the remote server and does not "connect" them to the local port I specify.

I also tried using the -N option for the ssh command to not open any command session. Perhaps I have to do some trickery with routing tables or ip tables?

The whole goal here is to reroute traffic targeting aws.server.address,1433 through this tunnel, so I don't have to change all the connection strings to some local address and port. There has to be a way to do this.

For example: This basically a situation where I need to map a plurality of addresses.... all targeting a single port (1433) to a single address (localhost) targetting multiple ports (unique jump host connections for a particular server).

remoteAddressA:port1433 -> forwarded to -> localhost:port5001

remoteAddressB:port1433 -> forwarded to -> localhost:port5002

where locahost:port5001 is an shh tunnel through the jump server to remoteAddressA, and localhost:port5002 is another ssh tunnel through the jump server to remoteAddressB.

Improve this question
3
  • This basically a situation where I need to map a plurality of addresses.... all targeting a single port (1433) to a single address (localhost) targetting multiple ports (unique jump host connections for a particular server).
    – Triynko
    Commented Feb 25, 2020 at 19:58
  • Is it possible to use other means of connecting to the jumphost than SSH? Specifically, with a VPN server this would be a simple route, or at worst iptables DNAT on the jumphost.
    – grawity_u1686
    Commented Feb 25, 2020 at 20:01
  • I figured it out. I'll write up an answer. I just used a combination of the HOSTS file and netsh interface portproxy to add the port redirects. The TRICK is that the "listenaddress" cannot be remote. It has to be local. It doesn't have to be "localhost" (127.0.0.1), but it does have to be a local address LIKE 127.0.0.0/8. So basically, use HOSTS file to force remoteAddressA onto an unused "local" address like 127.123.0.0, and then add a portproxy redirect for port 1433 on locl address 127.123.0.0 to port 5001 on localhost 127.0.0.1. That routes it through the tunnel.
    – Triynko
    Commented Feb 25, 2020 at 20:46

1 Answer 1

Reset to default
0

Suppose you want to intercept a SQL Server connection to my.url on port 1433.

This can be done by first adding a HOSTS file entry so the URL resolves to a local address like this (add this line to HOSTS file):

127.5.0.1 my.url

Next, run command "netsh interface portproxy add v4tov4" and specify its 4 parameters to map listenaddress 127.5.0.1 and listenport 1433 to the local connectaddress and connectport you want.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .