Ssh – Setup an ssh account that can only be used for a socks5 proxy

PROXYsocksssh

I have an arch linux machine behind a firewall.
I can open a port forwarding for the ssh port.
I would like to create a user that can be used only for a socks proxy.

ssh -N -D 5000 user@server -p9000

5000 will be the local port the user uses for socks5 proxy

server:9000 is the ssh port of the server (the port forwarding)

-N means that a terminal shouldn't be opened. I will create the user with a default shell being /sbin/nologin.

Now the problem is that the user can forward local ports (-L8080:server2:80) and I want to avoid this.

Also I want the proxy to not proxy connections to anything in the server's internal network.

Is that achievable easily or not?

Are there other pitfalls I have to think about?

Best Answer

As Jakuje mentioned, you can use options to forbid forwarding.

Restricting Outbound Traffic by Owner

Also I want the proxy to not proxy connections to anything in the server's internal network.

You can you the iptables owner module to allow specific groups and users outbound in the OUTPUT rules to specific locations such as your ssh gateway server, but then block everything else. The owner module can match on gid or uid. This method is also commonly used in conjunction with Tor.

You can also use this to allow specific daemons to reach specific services. e.g. If using ldap, you can allow the ldap service account to query your ldap server and nothing else.

If using iptables in this manor, you may first want to allow (but log) traffic so that you know what would have been dropped.

Related Topic