Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi, I have a dedicated server which I let people tunnel into for FTP transfers, how can I block all ports or traffic apart from FTP traffic? Since right now people can tunnel through the server then use Proxycap and start browsing the internet using my server as a proxy, I want to limit it to just FTP traffic is accessible when tunneling through.
Am not fully conversant with how proxycap works but am guessing it would work by using the ssh forwarding feature of ssh,
You can block that on your server by using the sshd option
Code:
AllowTcpForwarding no
In that case the server will not allow tunnels. You also possibly need to give these users non interactive shells such that they cannot install their own fowarders
PermitOpen
Specifies the destinations to which TCP port forwarding is per‐
mitted. The forwarding specification must be one of the follow‐
ing forms:
PermitOpen host:port
PermitOpen IPv4_addr:port
PermitOpen [IPv6_addr]:port
Multiple forwards may be specified by separating them with
whitespace. An argument of “any” can be used to remove all
restrictions and permit any forwarding requests. By default all
port forwarding requests are permitted.
Isn't Proxycap a multipurpose HTTP & Socks proxy server? Couldn't you also regulate what connections are allowed from the sftp server?
It is also possible to use GatewayPorts=no (the default) to deny other hosts from connecting to forward connections.
Also look into the options field of the authorized_keys field. I'm not certain, but it is overrides global options, you can allow tcp forwarding only for certain users who might legitimately need to do it. ( man 8 sshd )
Code:
...
no-port-forwarding
Forbids TCP forwarding when this key is used for authentication.
Any port forward requests by the client will return an error.
This might be used, e.g. in connection with the command option.
...
permitopen="host:port"
Limit local ``ssh -L'' port forwarding such that it may only con‐
...
You can also globally deny port forwarding but have a per-user match with AllowTcpForwarding or PermitOpen in the conditional block. These settings would override the Global options.
Hmm, PermitOpen seems to work the way I wanted, I could specify google.com:80 and when tunneled, you can only access google.
But after some looking around, there seem to be no way to add wildcards in the host, is there any way I can PermitOpen any host, but only port 21?
I tried %:21, any:21, ?:21 any they don't work, also googling tells me that PermitOpen does no pattern matching, only literal hosts, which kinda sucks.
Any otherway to do this? How about using iptables?
What rules would I need to:
Block all ports except for port 21?
The Patterns you can use are in the ssh_config manpage.
Code:
PATTERNS
A pattern consists of zero or more non-whitespace characters, ‘*’ (a wildcard that matches zero or more characters), or ‘?’
(a wildcard that matches exactly one character). For example, to specify a set of declarations for any host in the
“.co.uk” set of domains, the following pattern could be used:
Host *.co.uk
The following pattern would match any host in the 192.168.0.[0-9] network range:
Host 192.168.0.?
A pattern-list is a comma-separated list of patterns. Patterns within pattern-lists may be negated by preceding them with
an exclamation mark (‘!’). For example, to allow a key to be used from anywhere within an organisation except from the
“dialup” pool, the following entry (in authorized_keys) could be used:
from="!*.dialup.example.com,*.example.com"
A "?" will match a single character.
From the sshd manpage:
Code:
An example authorized_keys file:
# Comments allowed at start of line
ssh-rsa AAAAB3Nza...LiPk== user@example.net
from="*.sales.example.net,!pc.sales.example.net" ssh-rsa
AAAAB2...19Q== john@example.net
command="dump /home",no-pty,no-port-forwarding ssh-dss
AAAAC3...51R== example.net
permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-dss
AAAAB5...21S==
tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...==
jane@example.net
Note that the permitopen value uses port numbers.
---
I don't understand why you need to allow any port forwarding on the server providing the ftp service? Or is the ftp server elsewhere. You said that it is a dedicated server; maybe I assumed it is an ftp server.
I also have been thinking in terms of an encrypted tunnel incoming and outgoing, but I realize now that you probably have non-encrypted ftp traffic relayed.
I'll let someone else handle any netfilter rules. I'm sure I would miss something important.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.