-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alex wrote: > Hey all, > is it possible to allow users an SSH connection but limit any tunneling > capabilities to a specific ip > Not really, not within ssh. You can limit what hosts or networks the ssh server can connect to. If your kernel has the support for it, you can even write iptables rules to match on a UID or GID.
> my goal is to setup a SSH server and a application server� and i want > users set up a SSH tunnel to a specific port on the application server > so that way they won't have access to any other hosts ports on the network.. Seems straight forward enough. > > i hoping the ssh server can do this via a config but it looks like i > might have to use a sshd with a iptables combo > You need to use iptables to limit access. > but still not sure how to accomplish this.. > Such a deceptively simple question. Some initial questions: 1) how many NICs does the ssh server have and how many networks is it connected to? 2) are there any other services or roles that we need to account for (ie. is the ssh server a router, web server, mail server, some of the above, all of the above, none of the above etc.). The simplest rules (which may or may not fit your needs) would be to set the default action to drop and only allow a certain port on a certain host. This example also assumes that the ssh server has two NICs, one connected to the Internet, and the other to your LAN. The IP 10.10.10.2 represents the IP of the server. iptables -P OUTPUT DROP iptables -A OUTPUT -i eth1 -p tcp -d 10.10.10.2 --dport 3389 \ - --syn state --state -m NEW -j ACCEPT Of course this may not work in your situation, so the usual YMMV disclaimer applies. > > Any suggestions!? Grammatical suggestions (hey you did not specify scope): You don't need the exclamation point, as this was a question. Technical Suggestions: http://cipherdyne.org/ I highly recommend the book written by the guy who runs the site above. You will find links on his page. It will step you through the iptables basics all the way to some pretty advanced stuff. A good book regardless of how much you want to learn. The site has a lot of good info. The following two links may be helpful. http://www.netfilter.org http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkqoCr8ACgkQwRXgH3rKGfOhKgCgrXG8dxx+dKxdRNFqn2nPI/rT yaYAn1kWrlKo868+2aQiMxZfohYFkCeQ =mGEW -----END PGP SIGNATURE----- _______________________________________________ clug-talk mailing list [email protected] http://clug.ca/mailman/listinfo/clug-talk_clug.ca Mailing List Guidelines (http://clug.ca/ml_guidelines.php) **Please remove these lines when replying
