Re: Question about config SSH server, to restrict Port Forwarding
From: Brian Hatch (secure-shell_at_ifokr.org)
Date: Sun, 3 Aug 2003 11:28:31 -0700 To: "Jie C. Huang" <firstname.lastname@example.org>
> ssh -R 9001:Alice:5900 Bob
> This will result in allocating a socket to listen to
> port 9001 on the remote machine Bob, and whenever a
> connection is made to Bob:9001, the connection is
> forwarded to Alice:5900.
> Ok, now the question is:
> I wish to restrict the "whenever a connection to Bob:9001"
> to "only from localhost (Bob)"
> meaning that, you can't "telnet Bob 9001" from anywhere
> outside machine Bob. You can only do it from Bob.
In OpenSSH, this is the default. The port on bob
will listen only on localhost, so you'd only be able
to connect to it from bob.
desktop$ ssh -R 9001:whatever:5900 bob
bob$ netstat -natp|grep 9001
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 127.0.0.1:9001 0.0.0.0:* LISTEN -
desktop$ telnet bob:9001
telnet: Unable to connect to remote host: Connection refused
-- Brian Hatch "Packet-Filtering Barbie." Systems and - Failed attempt by Mattel Security Engineer to get into the computer http://www.ifokr.org/bri/ security world, before buying CyberPatrol. Every message PGP signed
- application/pgp-signature attachment: stored