Re: Restrict a client port-forward to 1 port



On Miércoles 12 Agosto 2009 16:42:54 Aarón Mizrachi escribió:
On Miércoles 12 Agosto 2009 11:53:30 Adriana Rodean escribió:
Hi,

Is it possible to restrict a client port-forwarding to one port?
For example i want client X to open only port 1037 on server through
port-forwarding, client Y only port 1038 and so on...
How can this be possible?
I use private/public keys authentication.
Client version is openssh3.8p1, is windows client, and server version
is latest openssh on a linux machine.

Can anyone help please?

Indeed. With iptables.

each instance of ssh are excecuted with the UID determined by the SSH
logon:

Log example:

[GWCONN]: IN= OUT=wan0 SRC=_._._._ DST=_._._._ LEN=60 TOS=0x00 PREC=0x00
TTL=64 ID=9946 DF PROTO=TCP SPT=46684 DPT=80 WINDOW=5840 RES=0x00 SYN
URGP=0 OPT (020405B40402080A2E3B8D980000000001030305) UID=500 GID=500

if you set some rule like:

iptables -I OUTPUT -o \! lo -m owner --uid-owner 500 -j LOGDROP
iptables -I OUTPUT -m owner --uid-owner 500 -p tcp -m state --state NEW -m
tcp --dport 80 -j ACCEPT

Sorry for the mistake, my LOGDROP is a "all-in-one" method for logging and
dropping. You can use: -j DROP instead

The sentence without logdrop:

iptables -I OUTPUT -o \! lo -m owner --uid-owner 500 -j DROP
iptables -I OUTPUT -m owner --uid-owner 500 -p tcp -m state --state NEW -m tcp
--dport 80 -j ACCEPT


;-)

you will enable only the port 80 for UID 500 (usernames can be used also).

but remember the -o \! lo, that means that iptables won't block any
connection from UID 500 to localhost, which is needed for ssh internal
work.


;-)

Hope it helps.

Thank you so much,
Adriana

--
Ing. Aaron G. Mizrachi P.

http://www.unmanarc.com
Mobil 1: + 58 416-6143543
Mobil 2: + 58 424-2412503
BBPIN: 0x 247066C1

Attachment: signature.asc
Description: This is a digitally signed message part.