Block user network access except back to address of ssh client

Question

On a linux server, how can I set up permissions so that a certain group of users are allowed to log in via ssh, but all network connections by their processes are blocked unless the connection is back to the ssh client address. For example, I want to allow a user in the group to ssh in and launch an HTTP server (on a high port) then connect to it from the computer where they're running the ssh client, but any other client on the internet must not be able to access the HTTP server.

I know I can completely block a user's network access with iptables, but how do I allow traffic that comes from or goes to whatever the value of $SSH_CLIENT is?

Answer 1

One thing you could do is have them run a suid script that modifies iptables on login. They don't need to pass it any arguments, just invoke it. And .bash_login can invoke it automatically. It can run lsof to get the IP of the ssh connection associated with its parent's UID, get the connected IP, and then whitelist that IP with rules like

iptables -w -A users_input -p tcp -s $ip -m owner --owner-uid $owner -j ACCEPT
iptables -w -A users_output -p tcp -d $ip -m owner --owner-uid $owner -j ACCEPT

Where those chains are placed where appropriate in the filter INPUT and OUTPUT chains. And of course also removing any prior rules with that --owner-uid. And you can permit only certain ports if you like.

Perl with taint mode should be fine for such a script.

This would allow networking to persist for that user after the ssh connection dropped. If that's a problem, you can resolve that with a cronjob or a daemon that regularly checks connected ssh connections and then removes any rules that aren't associated with them.

I realize there's a lot of "you could do" in this answer, but most of it's grunt work. Just get the -m owner stuff right.