On Miércoles 12 Agosto 2009 11:53:30 Adriana Rodean escribió: > Hi, > > Is it possible to restrict a client port-forwarding to one port? > For example i want client X to open only port 1037 on server through > port-forwarding, client Y only port 1038 and so on... > How can this be possible? > I use private/public keys authentication. > Client version is openssh3.8p1, is windows client, and server version > is latest openssh on a linux machine. > > Can anyone help please? > Indeed. With iptables. each instance of ssh are excecuted with the UID determined by the SSH logon: Log example: [GWCONN]: IN= OUT=wan0 SRC=_._._._ DST=_._._._ LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9946 DF PROTO=TCP SPT=46684 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A2E3B8D980000000001030305) UID=500 GID=500 if you set some rule like: iptables -I OUTPUT -o \! lo -m owner --uid-owner 500 -j LOGDROP iptables -I OUTPUT -m owner --uid-owner 500 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT you will enable only the port 80 for UID 500 (usernames can be used also). but remember the -o \! lo, that means that iptables won't block any connection from UID 500 to localhost, which is needed for ssh internal work. ;-) Hope it helps. > Thank you so much, > Adriana -- Ing. Aaron G. Mizrachi P. http://www.unmanarc.com Mobil 1: + 58 416-6143543 Mobil 2: + 58 424-2412503 BBPIN: 0x 247066C1
Attachment:
signature.asc
Description: This is a digitally signed message part.