Re: Restrict a client port-forward to 1 port

On Miércoles 12 Agosto 2009 16:42:54 Aarón Mizrachi escribió:
On Miércoles 12 Agosto 2009 11:53:30 Adriana Rodean escribió:

Is it possible to restrict a client port-forwarding to one port?
For example i want client X to open only port 1037 on server through
port-forwarding, client Y only port 1038 and so on...
How can this be possible?
I use private/public keys authentication.
Client version is openssh3.8p1, is windows client, and server version
is latest openssh on a linux machine.

Can anyone help please?

Indeed. With iptables.

each instance of ssh are excecuted with the UID determined by the SSH

Log example:

[GWCONN]: IN= OUT=wan0 SRC=_._._._ DST=_._._._ LEN=60 TOS=0x00 PREC=0x00
TTL=64 ID=9946 DF PROTO=TCP SPT=46684 DPT=80 WINDOW=5840 RES=0x00 SYN
URGP=0 OPT (020405B40402080A2E3B8D980000000001030305) UID=500 GID=500

if you set some rule like:

iptables -I OUTPUT -o \! lo -m owner --uid-owner 500 -j LOGDROP
iptables -I OUTPUT -m owner --uid-owner 500 -p tcp -m state --state NEW -m
tcp --dport 80 -j ACCEPT

Sorry for the mistake, my LOGDROP is a "all-in-one" method for logging and
dropping. You can use: -j DROP instead

The sentence without logdrop:

iptables -I OUTPUT -o \! lo -m owner --uid-owner 500 -j DROP
iptables -I OUTPUT -m owner --uid-owner 500 -p tcp -m state --state NEW -m tcp
--dport 80 -j ACCEPT


you will enable only the port 80 for UID 500 (usernames can be used also).

but remember the -o \! lo, that means that iptables won't block any
connection from UID 500 to localhost, which is needed for ssh internal


Hope it helps.

Thank you so much,

Ing. Aaron G. Mizrachi P.
Mobil 1: + 58 416-6143543
Mobil 2: + 58 424-2412503
BBPIN: 0x 247066C1

Attachment: signature.asc
Description: This is a digitally signed message part.