Help answer threads with 0 replies.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 09-05-2009, 06:40 AM   #1
LQ Newbie
Registered: Sep 2009
Posts: 8

Rep: Reputation: 0
Firewall restrictions on sock5 tunnel forwarding (through ssh)

I have a server that I use to access the internet through a secure SSH tunnel (the usual method with Putty's Dynamic Port Forwarding). And I access the content through a SOCKS local port of course.

However, because I only use the server to access certain two websites, I only want the tunnel to forward to and from those particular websites through ssh and prevent access to every other website for a particular user (login for ssh session).

I was once told to install a squid proxy to control this, but I think it will be an overkill for such a trivial job. Is there a possibility to simply have some IPtables rules to do the following:

* If the user 'tunnel_user' belonging to the group 'tunnel_group' is requesting a page on a remote website through forwarding, check to see if what he is accessing is website1 or website2. If not, reject the outgoing and incoming connection for the user, otherwise, let allow it.

I hope I was clear. If you could help or need more details, please let me know.


Old 09-08-2009, 06:41 PM   #2
Senior Member
Registered: Mar 2006
Posts: 1,896

Rep: Reputation: 61
Any firewall rules would have to be on the destination end of the tunnel. I.e. the computer running sshd. (If I understand you correctly, you are calling this the server.) Netfilter/iptables does not have the ability to look at content of packets and so has not idea what requests are being sent through the tunnel on the client side.

So what might you be able to do is to restrict this set of users to sshing into a particular account on the server and then, on the server, restrict what websites that (server) account can get to. Something like:

iptables -A OUTPUT -m owner --uid-owner $username -d $website1 -j ACCEPT
iptables -A OUTPUT -m owner --uid-owner $username -d $website2 -j ACCEPT
iptables -A OUTPUT -m owner --uid-owner $username -j REJECT
If a wbsite has more than one IP address then you would have to have an ACCEPT rule for each address. That is the only way I know to do what you want. Otherwise, you might wish to look at the squid option. (Sadly, I still have no experience with squid.)

(NOTE: ssh has the ability to restrict port forwarding to a single IP address if it authenticates with a public key.)

Last edited by blackhole54; 09-08-2009 at 06:43 PM. Reason: typo
Old 09-09-2009, 11:34 AM   #3
LQ Newbie
Registered: Sep 2009
Posts: 8

Original Poster
Rep: Reputation: 0
[SOLVED] Firewall restrictions on sock5 tunnel forwarding (through ssh)

This is exactly what I needed and has been very helpful to me and I hope I would be able to use it effectively without affecting the server's performance as I will have dozens of different usernames/groups.

Thanks indeed!
Old 09-09-2009, 08:29 PM   #4
Senior Member
Registered: Mar 2006
Posts: 1,896

Rep: Reputation: 61
I am glad it worked for you.

I noticed you put SOLVED in the title of your last post. You might want to mark the whole thread SOLVED so it shows up that way in searches. You can do that by clicking on "Thread Tools" at the top of the page and choosing the appropriate entry.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Forwarding Yahoo IM using iptables after SSH tunnel kenevel Linux - Security 2 04-07-2009 06:31 AM
VNC SSH tunnel firewall problem bitpail Linux - Networking 2 11-02-2006 09:37 AM
ssh tunnel / port forwarding Q FrayAdjacent Linux - Networking 2 07-05-2005 04:37 PM
SSH tunnel or Iptables forwarding jatro Linux - Networking 5 06-15-2005 04:07 AM
"socks5" -> "http" proxy protocol, or ssh tunnel to sock5 ? I'm beyond http p vmicho Linux - Networking 2 12-16-2003 06:32 AM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 10:23 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration