How to stop users being able to access services bound to localhost via SSH port forwarding


I want to be able to offer SSH accounts on my Linux server for people to be able to use for SSH tunnelling. All accounts will be locked down with no interactive shell, for tunnelling / port forwarding purposes only. My problem is that I don't want them to be able to access services that are bound to localhost only by doing port forwards like the following:

ssh account@server -L 9999: & telnet localhost 9999

This would give them access to the default MySQL database port. How can I stop this?

I see options in the configuration file for OpenSSH to allow specific ports/hosts, but not to block them. Any help would be greatly appreciated!

Best Answer

I haven't tried it myself, but the --uid-owner and --gid-owner options for iptables rules appears to let you restrict connections based on UID and GID. In other words, specific users can be prevented from making outbound connections on a given interface.

So maybe something like this (not tested), to block all access to loopback:

iptables -A OUTPUT -o lo -m owner --uid-owner {USERNAME} -j REJECT

... or if your locked-down accounts are all in the same group:

iptables -A OUTPUT -o lo -m owner --gid-owner {GROUPNAME} -j REJECT

If you need something more granular, this nixCraft post has an example of how to allow some ports, but not others.

Related Question