[SOLVED] Firewall restrictions on sock5 tunnel forwarding (through ssh)

investor_me · 09-05-2009, 05:40 AM

I have a server that I use to access the internet through a secure SSH tunnel (the usual method with Putty's Dynamic Port Forwarding). And I access the content through a SOCKS local port of course.

However, because I only use the server to access certain two websites, I only want the tunnel to forward to and from those particular websites through ssh and prevent access to every other website for a particular user (login for ssh session).

I was once told to install a squid proxy to control this, but I think it will be an overkill for such a trivial job. Is there a possibility to simply have some IPtables rules to do the following:

* If the user 'tunnel_user' belonging to the group 'tunnel_group' is requesting a page on a remote website through forwarding, check to see if what he is accessing is website1 or website2. If not, reject the outgoing and incoming connection for the user, otherwise, let allow it.

I hope I was clear. If you could help or need more details, please let me know.

Thanks

i_me

blackhole54 · 09-08-2009, 05:41 PM

Any firewall rules would have to be on the destination end of the tunnel. I.e. the computer running sshd. (If I understand you correctly, you are calling this the server.) Netfilter/iptables does not have the ability to look at content of packets and so has not idea what requests are being sent through the tunnel on the client side.

So what might you be able to do is to restrict this set of users to sshing into a particular account on the server and then, on the server, restrict what websites that (server) account can get to. Something like:

Code:

iptables -A OUTPUT -m owner --uid-owner $username -d $website1 -j ACCEPT
iptables -A OUTPUT -m owner --uid-owner $username -d $website2 -j ACCEPT
iptables -A OUTPUT -m owner --uid-owner $username -j REJECT

If a wbsite has more than one IP address then you would have to have an ACCEPT rule for each address. That is the only way I know to do what you want. Otherwise, you might wish to look at the squid option.

(Sadly, I still have no experience with squid.)

(NOTE: ssh has the ability to restrict port forwarding to a single IP address if it authenticates with a public key.)

investor_me · 09-09-2009, 10:34 AM

This is exactly what I needed and has been very helpful to me and I hope I would be able to use it effectively without affecting the server's performance as I will have dozens of different usernames/groups.

Thanks indeed!

blackhole54 · 09-09-2009, 07:29 PM

I am glad it worked for you.

I noticed you put SOLVED in the title of your last post. You might want to mark the whole thread SOLVED so it shows up that way in searches. You can do that by clicking on "Thread Tools" at the top of the page and choosing the appropriate entry.