Re: [security-unixtech] Re: question about SSH / IPTABLES

[Stanislas Rusinsky <rusinskystanislas@yahoo.fr>]

> >  I have a server in internet and i want several clients to access to it via
> > SSH but i DON'T want they to be able to use SSH from that server.
> > 
> >  So i client can access the server via SSH, but s/he CAN NOT ssh to other
> > servers from my server...
> 

in sshd_conf : 

AllowTcpForwarding no :
        	Specifies whether TCP forwarding is permitted.  The default	is
``yes''.  Note that disabling TCP forwarding does not improve security
unless users are also denied shell access, as they can always install
their own forwarders.

--> man 5 sshd_config for openSSH



> If you want to use iptables then allow incoming ssh requests from the
> relevant hosts and disallow outgoing ssh request from the server:
> 
> iptables -A INPUT -j ACCEPT -p tcp -s <client_ip/mask> --destination-port 22
> iptables -A INPUT -j REJECT -p tcp --destination-port 22
> iptables -A OUTPUT -j REJECT -p tcp --destination-port 22


__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com