7

I need to setup SSH to block all access to a certain IP on port 555. Only a small group of users should be allowed to tunnel to that IP. Currently I have the following stuff in my sshd_config

Match User bob
        PermitOpen 1.2.3.4:555 5.6.7.8:555

The question I have is, how do I deny all other users access to this tunnel? I dont see a denyopen, or restrictopen thing in sshd_config.

nickgrim
  • 4,466
  • 1
  • 19
  • 28
Pratik Amin
  • 3,303
  • 3
  • 22
  • 19

2 Answers2

11

Disable TcpForwarding for all users by default:

AllowTcpForwarding No

And make an exception for user bob:

Match User bob
        AllowTcpForwarding Yes
        PermitOpen 1.2.3.4:555 5.6.7.8:555
Lekensteyn
  • 6,241
  • 6
  • 39
  • 55
  • I think the OP wants to allow tunneling to anywhere other than those. – geekosaur Mar 15 '11 at 18:54
  • From [`man sshd_config`](http://www.manpagez.com/man/5/sshd_config/): "PermitOpen: **Specifies the destinations to which TCP port forwarding is permitted.** [..] An argument of "any" can be used to remove all restrictions and permit any forwarding requests. **By default all port forwarding requests are permitted.**", this is my interpretation of his question. – Lekensteyn Mar 15 '11 at 18:58
  • Right, but my interpretation is the OP wants `PermitOpen !1.2.3.4:555` by default, not `AlloqTCPForwarding off`. Guess we wait for clarification. – geekosaur Mar 15 '11 at 19:05
  • Sorry, so what I want is: All users to be able to tunnel everywhere EXCEPT for 1.2.3.4.5:555. Only certain users should be allowed to tunnel there. The problem with this solution is that if I then do Match User {enter all users here} AllowTCPForwarding Yes They will have access to that IP as well. That being said its still a very good answer :) It might very well need firewall rules on the otherside. – Pratik Amin Mar 15 '11 at 19:11
6

You could do it with a firewall on the SSH box:

iptables -A OUTPUT -p tcp -d 1.2.3.4 --dport 555 -m owner --uid-owner bob -j ACCEPT
iptables -A OUTPUT -p tcp -d 1.2.3.4 --dport 555                          -j REJECT
MadHatter
  • 79,770
  • 20
  • 184
  • 232