if you only want to list tunnels created by ssh:
% sudo lsof -i -n | egrep '\<ssh\>'
ssh 19749 user 3u IPv4 148088244 TCP x.x.x.x:39689->y.y.y.y:22 (ESTABLISHED)
ssh 19749 user 4u IPv6 148088282 TCP [::1]:9090 (LISTEN)
ssh 19749 user 5u IPv4 148088283 TCP 127.0.0.1:9090 (LISTEN)
(that would be a -L 9090:localhost:80 tunnel)
if you want to see the tunnels / connections made to a sshd:
% sudo lsof -i -n | egrep '\<sshd\>'
sshd 15767 root 3u IPv4 147401205 TCP x.x.x.x:22->y.y.y.y:27479 (ESTABLISHED)
sshd 15842 user 3u IPv4 147401205 TCP x.x.x.x:22->y.y.y.y:27479 (ESTABLISHED)
sshd 15842 user 9u IPv4 148002889 TCP 127.0.0.1:33999->127.0.0.1:www (ESTABLISHED)
sshd 1396 user 9u IPv4 148056581 TCP 127.0.0.1:5000 (LISTEN)
sshd 25936 root 3u IPv4 143971728 TCP *:22 (LISTEN)
the ssh-daemon listens on port 22 (last line), 2 subprocesses are spawned (first 2 lines, login of 'user'), a -R tunnel created on port 5000, and a -L tunnel which forwards a port from my (local) machine to localhost:80 (www).
On the MySQL server, you need to modify the file my.cnf, whose location depends on OS: in Debian, it is in /etc/mysql, for instance. Edit it, find the line
[mysqld]
and add to it the following text:
[mysqld]
user = mysql
pid-file = /var/run/mysqld/mysqld.pid
socket = /var/run/mysqld/mysqld.sock
port = 3306
basedir = /usr
datadir = /var/lib/mysql
tmpdir = /tmp
language = /usr/share/mysql/English
bind-address = The_IP_of_YOUR_MySQL_Server
# skip-networking
Here, what is important is that you comment out the line skip-networking, and that you insert, in the line bind-address, the IP of the server. Save, restart mysql (again, this depends on OS), access MySQL with the usual
mysql -u root -p mysql
and allow access from your own remote IP to the existing database:
mysql> update db set Host='Your_own_remote_IP' where Db='webdb';
mysql> update user set Host='Your_own_remote_IP' where user='webadmin';
Now go back to your remote system, and test the new functionality:
mysql -u webadmin –h The_IP_of_theMySQL_Server –p
For this to work, of course, you need a MySQL client on your Mac. You can now script your own MySQL queries, for instance, in a bash script as follows:
#!/bin/bash
result=`mysql -h The_IP_of_theMySQL_Server --user=webadmin --password=Your_Password --skip-column-names -e "select id from mydb.mytable where myattribute = 3"`
EDIT:
This is required if you want to connect remotely directly to the MySQL server. If you just want to script your queries locally (i.e., on the server), then MySQL client will do. You can find an introduction here.
Best Answer
I haven't tried it myself, but the
--uid-ownerand--gid-owneroptions foriptablesrules appears to let you restrict connections based on UID and GID. In other words, specific users can be prevented from making outbound connections on a given interface.So maybe something like this (not tested), to block all access to loopback:
... or if your locked-down accounts are all in the same group:
If you need something more granular, this nixCraft post has an example of how to allow some ports, but not others.