Re: Restrict a client port-forward to 1 port

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Miércoles 12 Agosto 2009 16:42:54 Aarón Mizrachi escribió:
> On Miércoles 12 Agosto 2009 11:53:30 Adriana Rodean escribió:
> > Hi,
> >
> > Is it possible to restrict a client port-forwarding to one port?
> > For example i want client X to open only port 1037 on server through
> > port-forwarding, client Y only port 1038 and so on...
> > How can this be possible?
> > I use private/public keys authentication.
> > Client version is openssh3.8p1, is windows client, and server version
> > is latest openssh on a linux machine.
> >
> > Can anyone help please?
>
> Indeed. With iptables.
>
> each instance of ssh are excecuted with the UID determined by the SSH
> logon:
>
> Log example:
>
> [GWCONN]:  IN= OUT=wan0 SRC=_._._._ DST=_._._._ LEN=60 TOS=0x00 PREC=0x00
> TTL=64 ID=9946 DF PROTO=TCP SPT=46684 DPT=80 WINDOW=5840 RES=0x00 SYN
> URGP=0 OPT (020405B40402080A2E3B8D980000000001030305) UID=500 GID=500
>
> if you set some rule like:
>
> iptables -I OUTPUT -o \! lo  -m owner --uid-owner 500 -j LOGDROP
> iptables -I OUTPUT -m owner --uid-owner 500 -p tcp -m state --state NEW -m
> tcp --dport 80 -j ACCEPT
>
Sorry for the mistake, my LOGDROP is a "all-in-one" method for logging and 
dropping. You can use: -j DROP instead 

The sentence without logdrop:

iptables -I OUTPUT -o \! lo  -m owner --uid-owner 500 -j DROP
iptables -I OUTPUT -m owner --uid-owner 500 -p tcp -m state --state NEW -m tcp 
--dport 80 -j ACCEPT


;-)

> you will enable only the port 80 for UID 500 (usernames can be used also).
>
> but remember the -o \! lo, that means that iptables won't block any
> connection from UID 500 to localhost, which is needed for ssh internal
> work.
>
>
> ;-)
>
> Hope it helps.
>
> > Thank you so much,
> > Adriana

-- 
Ing. Aaron G. Mizrachi P.    

http://www.unmanarc.com
Mobil 1: + 58 416-6143543
Mobil 2: + 58 424-2412503
BBPIN: 0x 247066C1

Attachment: signature.asc
Description: This is a digitally signed message part.


[Index of Archives]     [Open SSH Unix Development]     [Fedora Users]     [Fedora Desktop]     [Yosemite Backpacking]     [KDE Users]     [Gnome Users]

  Powered by Linux