Re: Restrict a client port-forward to 1 port

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



--- On Fri, 8/14/09, Adriana Rodean <adrya1984@xxxxxxxxx> wrote:

> >On Thu, Aug 13, 2009 at 22:00, Joseph Spenner<joseph85750@xxxxxxxxx>
> > wrote:
> > From what I can tell, your goal is to restrict certain
> > REMOTE port forward values.  I do not think it is possible
> > to place restrictions on REMOTE port forwards if port
> > forwarding is enabled in sshd_config.  In the
> > authorized_keys, you can list 'permitopen' options, but this
> > only applies to LOCAL port forwards.
> 
> Yes that's exactly what i want, restrict certain REMOTE
> port forward values.
> If client X has remote port 1037 on the server then client
> Y should be
> forbidden to do remote port-forwarding on port 1037 if
> client X is not
> connected.
> Can't it be restricted somehow with iptables or with some
> Linux commands?
> If ssh can't i'm thinking maybe Linux can...
> I mean restrict only client X (which is behind a certain ip
> address)
> to listen to port 1037 on the server.
> 
> I'm not Linux user, and have minimal knowledge about Linux,
> but maybe
> someone knows...
> 
> Thank you again,
> Adriana
> 

Another option could be to create a type of 'portmon' script (port monitor).  It could run via root cron, and be looking for user port forwards.  Here's an example of what it would see on the sshd (remote) server:

root@slack182:~# lsof -ni |grep user42
sshd    2565 user42    7u  IPv4 146804       TCP 127.0.0.1:12345 (LISTEN)

This means user42 has a REMOTE port forward built on port 12345 (notice, it is bound to 127.0.0.1 as remote port forwards always are).
Your script could look for such processes, and if unauthorized ports are present kill the PID(s) associated with them (in this case 2565).




      

[Index of Archives]     [Open SSH Unix Development]     [Fedora Users]     [Fedora Desktop]     [Yosemite Hikes]     [KDE Users]     [Gnome Users]

  Powered by Linux