Linux – Block SSH tunneling to IP, allow only for certain users

linuxsshssh-tunnel

I need to setup SSH to block all access to a certain IP on port 555. Only a small group of users should be allowed to tunnel to that IP. Currently I have the following stuff in my sshd_config

Match User bob
        PermitOpen 1.2.3.4:555 5.6.7.8:555

The question I have is, how do I deny all other users access to this tunnel? I dont see a denyopen, or restrictopen thing in sshd_config.

Best Answer

You could do it with a firewall on the SSH box:

iptables -A OUTPUT -p tcp -d 1.2.3.4 --dport 555 -m owner --uid-owner bob -j ACCEPT
iptables -A OUTPUT -p tcp -d 1.2.3.4 --dport 555                          -j REJECT

Related Solutions

SSH Tunneling – Only Access

Yes, just use /bin/false as shell and instruct the user to start the tunneling SSH process without executing any remote command (i.e. the -N flag for OpenSSH):

ssh -N -L 1234:target-host:5678 ssh-host

Ssh – Additional Security Measures for Syslog over SSH

There is a sshd option permitopen:

permitopen="host:port" Limit local ``ssh -L'' port forwarding such that it may only connect to the specified host and port. IPv6 addresses can be specified with an alternative syntax: host/port. Multiple permitopen options may be applied separated by commas. No pattern matching is performed on the speci‐ fied hostnames, they must be literal domains or addresses.

Best Answer

Related Solutions

SSH Tunneling – Only Access

Ssh – Additional Security Measures for Syslog over SSH

Related Topic