Re: Restrict a client port-forward to 1 port

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Miércoles 12 Agosto 2009 11:53:30 Adriana Rodean escribió:
> Hi,
>
> Is it possible to restrict a client port-forwarding to one port?
> For example i want client X to open only port 1037 on server through
> port-forwarding, client Y only port 1038 and so on...
> How can this be possible?
> I use private/public keys authentication.
> Client version is openssh3.8p1, is windows client, and server version
> is latest openssh on a linux machine.
>
> Can anyone help please?
>
Indeed. With iptables. 

each instance of ssh are excecuted with the UID determined by the SSH logon:

Log example:

[GWCONN]:  IN= OUT=wan0 SRC=_._._._ DST=_._._._ LEN=60 TOS=0x00 PREC=0x00 
TTL=64 ID=9946 DF PROTO=TCP SPT=46684 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 
OPT (020405B40402080A2E3B8D980000000001030305) UID=500 GID=500

if you set some rule like:

iptables -I OUTPUT -o \! lo  -m owner --uid-owner 500 -j LOGDROP
iptables -I OUTPUT -m owner --uid-owner 500 -p tcp -m state --state NEW -m tcp 
--dport 80 -j ACCEPT

you will enable only the port 80 for UID 500 (usernames can be used also).

but remember the -o \! lo, that means that iptables won't block any connection 
from UID 500 to localhost, which is needed for ssh internal work.


;-)

Hope it helps.

> Thank you so much,
> Adriana

-- 
Ing. Aaron G. Mizrachi P.    

http://www.unmanarc.com
Mobil 1: + 58 416-6143543
Mobil 2: + 58 424-2412503
BBPIN: 0x 247066C1

Attachment: signature.asc
Description: This is a digitally signed message part.


[Index of Archives]     [Open SSH Unix Development]     [Fedora Users]     [Fedora Desktop]     [Yosemite Backpacking]     [KDE Users]     [Gnome Users]

  Powered by Linux