[clug-talk] SSH Port forwarding / Tunnel restrictions
gustin at echostar.ca
Wed Sep 9 13:06:28 PDT 2009
-----BEGIN PGP SIGNED MESSAGE-----
> Hey all,
> is it possible to allow users an SSH connection but limit any tunneling
> capabilities to a specific ip
Not really, not within ssh. You can limit what hosts or networks the
ssh server can connect to. If your kernel has the support for it, you
can even write iptables rules to match on a UID or GID.
> my goal is to setup a SSH server and a application server� and i want
> users set up a SSH tunnel to a specific port on the application server
> so that way they won't have access to any other hosts ports on the network..
Seems straight forward enough.
> i hoping the ssh server can do this via a config but it looks like i
> might have to use a sshd with a iptables combo
You need to use iptables to limit access.
> but still not sure how to accomplish this..
Such a deceptively simple question. Some initial questions:
1) how many NICs does the ssh server have and how many networks is it
2) are there any other services or roles that we need to account for
(ie. is the ssh server a router, web server, mail server, some of the
above, all of the above, none of the above etc.).
The simplest rules (which may or may not fit your needs) would be to set
the default action to drop and only allow a certain port on a certain
host. This example also assumes that the ssh server has two NICs, one
connected to the Internet, and the other to your LAN. The IP 10.10.10.2
represents the IP of the server.
iptables -P OUTPUT DROP
iptables -A OUTPUT -i eth1 -p tcp -d 10.10.10.2 --dport 3389 \
- --syn state --state -m NEW -j ACCEPT
Of course this may not work in your situation, so the usual YMMV
> Any suggestions!?
Grammatical suggestions (hey you did not specify scope):
You don't need the exclamation point, as this was a question.
I highly recommend the book written by the guy who runs the site above.
You will find links on his page. It will step you through the iptables
basics all the way to some pretty advanced stuff. A good book
regardless of how much you want to learn. The site has a lot of good info.
The following two links may be helpful.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the clug-talk