openssh unix dev - Jun 2009 - Restrict port forwarding on server

Hi,

Is there a way to restrict port forwarding on the server?
I want only port 8080 on the server to be available to clients.

Example when i give this command clients should be able to connect:
ssh -L 30300:localhost:8080 ....
When i give this for example clients should not be able to connect:
ssh -L 30300:localhost:4040 ....

I tried this option in config file of server:
PermitOpen localhost:8080
but even with it i could still connect to 4040 for example

Thanks,
Adriana

Adriana Rodean wrote:
> Hi,
> 
> Is there a way to restrict port forwarding on the server?
> I want only port 8080 on the server to be available to clients.
> 
> Example when i give this command clients should be able to connect:
> ssh -L 30300:localhost:8080 ....
> When i give this for example clients should not be able to connect:
> ssh -L 30300:localhost:4040 ....
> 
> I tried this option in config file of server:
> PermitOpen localhost:8080
> but even with it i could still connect to 4040 for example
That should work.

Which config file did you change?  It should go in sshd_config and you 
need to restart sshd when you change that file.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

hey Adriana,
             you can also restrict port forwarding by using iptables, as when
iptables service is started it blocks all ports except the ones which are
defined in its configuration file which is located at /etc/sysconfig/iptables in
Red Hat/Centos systems, to open a specific port through iptables firewall, you
have to add a line which looks like
 
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp -m tcp --dport 8080 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -p udp -m udp --dport 8080 -j ACCEPT
 
you have to make configuration of your own for this, the above two lines will
open the port 8080 for tcp and udp traffic, figure out the ports which you want
to be opened and define them in the iptables file, if you want to read more
about this, follow the link

 

http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables
 

------------------------------------------------------------------------------------




 

> Date: Fri, 12 Jun 2009 17:17:06 +1000
> From: dtucker at zip.com.au
> To: adrya1984 at gmail.com
> CC: openssh-unix-dev at mindrot.org; secureshell at securityfocus.com
> Subject: Re: Restrict port forwarding on server
> 
> Adriana Rodean wrote:
> > Hi,
> > 
> > Is there a way to restrict port forwarding on the server?
> > I want only port 8080 on the server to be available to clients.
> > 
> > Example when i give this command clients should be able to connect:
> > ssh -L 30300:localhost:8080 ....
> > When i give this for example clients should not be able to connect:
> > ssh -L 30300:localhost:4040 ....
> > 
> > I tried this option in config file of server:
> > PermitOpen localhost:8080
> > but even with it i could still connect to 4040 for example
> 
> That should work.
> 
> Which config file did you change? It should go in sshd_config and you 
> need to restart sshd when you change that file.
> 
> -- 
> Darren Tucker (dtucker at zip.com.au)
> GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
> Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.
_________________________________________________________________
Windows Live?: Keep your life in sync. Check it out!
http://windowslive.com/explore?ocid=TXT_TAGLM_WL_t1_allup_explore_012009