I’m trying to setup an iptables rule that will block access to ssh remote forwarded connections via ssh local remote forwarded connections. So, IOW:
Client A connects to server: ssh -R 10000:localhost:23 someserverClient B connects to server: ssh -L 23:localhost:10000 someserver
I can’t get iptables to block this. I need the forwarding in some cases which sshd_config settings can’t cover (I will have a program specifically handing out the port that a client can forward on, and hopefully the program would then add an iptables rule to allow this).
iptables --flushiptables -A INPUT -i lo -p tcp --dport 0:1024 -j ACCEPT iptables -A OUTPUT -o lo -p tcp --dport 0:1024 -j ACCEPT iptables --policy INPUT DROP iptables --policy OUTPUT DROPiptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPTiptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
But it still allows ssh local forwarded connections to access the remote forwarded port. Any ideas on how to go about getting iptables to handle this?
EDIT:Tried changing to:
iptables --flush iptables --policy INPUT DROP iptables --policy OUTPUT DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT iptables -A OUTPUT -o eth1 -p tcp --sport 22 -j ACCEPT iptables -A INPUT -j REJECT
Still I can make the forwarded connections. So apparently that wasn’t quite it. Thanx for the answer though. Do you have any other ideas for me?
Would it not be easier to switch off ssh forwarding on the ssh server? Just change
AllowTcpForwarding from yes to no in your /etc/ssh/sshd_config. If this doesn’t suit, you could try something along the lines of
iptables -A OUTPUT -o eth1 -p tcp --cmd-owner "sshd" -j DROP