Aug 22, 2011
tom

iptables rules to block ssh remote forwarded ports

Question

I’m trying to setup an iptables rule that will block access to ssh remote forwarded connections via ssh local remote forwarded connections. So, IOW:

Client A connects to server:
ssh -R 10000:localhost:23 someserverClient B connects to server:
ssh -L 23:localhost:10000 someserver

I can’t get iptables to block this. I need the forwarding in some cases which sshd_config settings can’t cover (I will have a program specifically handing out the port that a client can forward on, and hopefully the program would then add an iptables rule to allow this).

I’ve tried:

iptables --flushiptables -A INPUT -i lo -p tcp --dport 0:1024 -j ACCEPT
iptables -A OUTPUT -o lo -p tcp --dport 0:1024 -j ACCEPT
iptables --policy INPUT DROP
iptables --policy OUTPUT DROPiptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPTiptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

But it still allows ssh local forwarded connections to access the remote forwarded port. Any ideas on how to go about getting iptables to handle this?


EDIT:Tried changing to:

 
iptables --flush
iptables --policy INPUT DROP 
iptables --policy OUTPUT DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 
iptables -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT 
iptables -A OUTPUT -o eth1 -p tcp --sport 22 -j ACCEPT 
iptables -A INPUT -j REJECT 

Still I can make the forwarded connections. So apparently that wasn’t quite it. Thanx for the answer though. Do you have any other ideas for me?

Answer

Would it not be easier to switch off ssh forwarding on the ssh server? Just change AllowTcpForwarding from yes to no in your /etc/ssh/sshd_config. If this doesn’t suit, you could try something along the lines of

iptables -A OUTPUT -o eth1 -p tcp --cmd-owner "sshd" -j DROP

Related posts:

  1. iptables: forwarding ssh ports
  2. Why do ‘iptables -A OUTPUT -j REJECT’ at the end of the chain OUTPUT override the previous rules?
  3. Understanding/optimizing iptables output
  4. Problem with sendmail combined with iptables
  5. IPTables configuration help

Leave a comment