Any firewall rules would have to be on the
destination end of the tunnel. I.e. the computer running
sshd. (If I understand you correctly, you are calling this the server.) Netfilter/
iptables does not have the ability to look at
content of packets and so has not idea what requests are being sent through the tunnel on the
client side.
So what might you be able to do is to restrict this set of users to
sshing into a particular account on the server and then, on the server, restrict what websites that (server) account can get to. Something like:
Code:
iptables -A OUTPUT -m owner --uid-owner $username -d $website1 -j ACCEPT
iptables -A OUTPUT -m owner --uid-owner $username -d $website2 -j ACCEPT
iptables -A OUTPUT -m owner --uid-owner $username -j REJECT
If a wbsite has more than one IP address then you would have to have an ACCEPT rule for each address. That is the only way I know to do what you want. Otherwise, you might wish to look at the
squid option.
(Sadly, I still have no experience with
squid.)
(NOTE:
ssh has the ability to restrict port forwarding to a
single IP address if it authenticates with a public key.)