On Miércoles 12 Agosto 2009 16:42:54 Aarón Mizrachi escribió: > On Miércoles 12 Agosto 2009 11:53:30 Adriana Rodean escribió: > > Hi, > > > > Is it possible to restrict a client port-forwarding to one port? > > For example i want client X to open only port 1037 on server through > > port-forwarding, client Y only port 1038 and so on... > > How can this be possible? > > I use private/public keys authentication. > > Client version is openssh3.8p1, is windows client, and server version > > is latest openssh on a linux machine. > > > > Can anyone help please? > > Indeed. With iptables. > > each instance of ssh are excecuted with the UID determined by the SSH > logon: > > Log example: > > [GWCONN]: IN= OUT=wan0 SRC=_._._._ DST=_._._._ LEN=60 TOS=0x00 PREC=0x00 > TTL=64 ID=9946 DF PROTO=TCP SPT=46684 DPT=80 WINDOW=5840 RES=0x00 SYN > URGP=0 OPT (020405B40402080A2E3B8D980000000001030305) UID=500 GID=500 > > if you set some rule like: > > iptables -I OUTPUT -o \! lo -m owner --uid-owner 500 -j LOGDROP > iptables -I OUTPUT -m owner --uid-owner 500 -p tcp -m state --state NEW -m > tcp --dport 80 -j ACCEPT > Sorry for the mistake, my LOGDROP is a "all-in-one" method for logging and dropping. You can use: -j DROP instead The sentence without logdrop: iptables -I OUTPUT -o \! lo -m owner --uid-owner 500 -j DROP iptables -I OUTPUT -m owner --uid-owner 500 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT ;-) > you will enable only the port 80 for UID 500 (usernames can be used also). > > but remember the -o \! lo, that means that iptables won't block any > connection from UID 500 to localhost, which is needed for ssh internal > work. > > > ;-) > > Hope it helps. > > > Thank you so much, > > Adriana -- Ing. Aaron G. Mizrachi P. http://www.unmanarc.com Mobil 1: + 58 416-6143543 Mobil 2: + 58 424-2412503 BBPIN: 0x 247066C1
Attachment:
signature.asc
Description: This is a digitally signed message part.
