Block SSH tunneling to IP, allow only for certain users

Posted on

Block SSH tunneling to IP, allow only for certain users – Managing your servers can streamline the performance of your team by allowing them to complete complex tasks faster. Plus, it can enable them to detect problems early on before they get out of hand and compromise your business. As a result, the risk of experiencing operational setbacks is drastically lower.

But the only way to make the most of your server management is to perform it correctly. And to help you do so, this article will share nine tips on improving your server management and fix some problem about linux, ssh, ssh-tunnel, , .

I need to setup SSH to block all access to a certain IP on port 555. Only a small group of users should be allowed to tunnel to that IP. Currently I have the following stuff in my sshd_config

Match User bob
        PermitOpen 1.2.3.4:555 5.6.7.8:555

The question I have is, how do I deny all other users access to this tunnel? I dont see a denyopen, or restrictopen thing in sshd_config.

Solution :

You could do it with a firewall on the SSH box:

iptables -A OUTPUT -p tcp -d 1.2.3.4 --dport 555 -m owner --uid-owner bob -j ACCEPT
iptables -A OUTPUT -p tcp -d 1.2.3.4 --dport 555                          -j REJECT

Disable TcpForwarding for all users by default:

AllowTcpForwarding No

And make an exception for user bob:

Match User bob
        AllowTcpForwarding Yes
        PermitOpen 1.2.3.4:555 5.6.7.8:555

Leave a Reply

Your email address will not be published.