Re: Restrict a client port-forward to 1 port

On Miércoles 12 Agosto 2009 16:42:54 Aarón Mizrachi escribió:
On Miércoles 12 Agosto 2009 11:53:30 Adriana Rodean escribió:

Is it possible to restrict a client port-forwarding to one port?
For example i want client X to open only port 1037 on server through
port-forwarding, client Y only port 1038 and so on...
How can this be possible?
I use private/public keys authentication.
Client version is openssh3.8p1, is windows client, and server version
is latest openssh on a linux machine.

Can anyone help please?

Indeed. With iptables.

each instance of ssh are excecuted with the UID determined by the SSH

Log example:

[GWCONN]: IN= OUT=wan0 SRC=_._._._ DST=_._._._ LEN=60 TOS=0x00 PREC=0x00
TTL=64 ID=9946 DF PROTO=TCP SPT=46684 DPT=80 WINDOW=5840 RES=0x00 SYN
URGP=0 OPT (020405B40402080A2E3B8D980000000001030305) UID=500 GID=500

if you set some rule like:

iptables -I OUTPUT -o \! lo -m owner --uid-owner 500 -j LOGDROP
iptables -I OUTPUT -m owner --uid-owner 500 -p tcp -m state --state NEW -m
tcp --dport 80 -j ACCEPT

Sorry for the mistake, my LOGDROP is a "all-in-one" method for logging and
dropping. You can use: -j DROP instead

The sentence without logdrop:

iptables -I OUTPUT -o \! lo -m owner --uid-owner 500 -j DROP
iptables -I OUTPUT -m owner --uid-owner 500 -p tcp -m state --state NEW -m tcp
--dport 80 -j ACCEPT


you will enable only the port 80 for UID 500 (usernames can be used also).

but remember the -o \! lo, that means that iptables won't block any
connection from UID 500 to localhost, which is needed for ssh internal


Hope it helps.

Thank you so much,

Ing. Aaron G. Mizrachi P.
Mobil 1: + 58 416-6143543
Mobil 2: + 58 424-2412503
BBPIN: 0x 247066C1

Attachment: signature.asc
Description: This is a digitally signed message part.

Relevant Pages

  • Re: interfaces lo:1 lo:2 lo:3? (for remote ssh tunnels)
    ... That's the problem tunneling (port forwarding) solves. ... >>can't get past the client firewall. ... > I don't understand why the server would be making the ... server initiates another connection to the client -- in this ...
  • Re: Remote Connection Issue
    ... through port number 3389 and a workstation on the LAN through port number ... I understand that you want to allow a LAN client ... and you have configured server publishing rule ... > By default Terminal Server and Windows 2000 Terminal Services uses TCP ...
  • Re: RealVNC
    ... Default listening port for RealVNC server that runs on the machine on which ... Then there is default Java listening port on port 5800 on the client machine ...
  • Re: Redirecting data sent to a local printer to another host and port on the network
    ... All client workstations have access to the ... simply redirecting netcat traffic on port 9100 to port 515 on ... Only LPR clients talk to LPD print server daemons. ... >workstation at the branch site where the print job originated. ...
  • Re: thin client com ports
    ... I'm glad that you got at least one more client working! ... MCSE, CCEA, Microsoft MVP - Terminal Server ... the COM port settings? ... I am testing several thin clients. ...