On 3/28/07, Nathan Fain <[EMAIL PROTECTED]> wrote:
When sshd deals with port forwarding and tunneling it seems to re encapsulate the outgoing packets and use the default route for determining which interface or internet line to send it out on. I have two internet lines and I want to change this behavior so that sshd will forward the tunnel back out through the same internet line the tunnel was setup on.
Mind that forwarding through the same interface as the SSH connection came from is not the obvious thing to do. Often you want SSH forwarding precisely for the reason that a certain destination is available to the SSH server through an interface which you don't have. One easy way to implement the thing you want would be to patch sshd. You might not want to touch code, but face it - what you're trying to do isn't trivial with iptables/iproute2, and might not end up reliable. The only solution I can think of as yet is to create iptable rules per
sshd PID. This is ugly and i am guessing will require extensive debugging to deal with child processes.
This sprung to my mind as well. You actually want to deal only with a single sshd child process, not the entire sshd, so --pid-owner sounds about right. This would be something you'd executed through PAM "session" module, as to still have root permissions (and keep it out of the user's control).
