I have an arch linux machine behind a firewall. I can open a port forwarding for the ssh port. I would like to create a user that can be used only for a socks proxy.
ssh -N -D 5000 user@server -p9000
5000 will be the local port the user uses for socks5 proxy
server:9000 is the ssh port of the server (the port forwarding)
-N means that a terminal shouldn't be opened. I will create the user with a default shell being /sbin/nologin.
Now the problem is that the user can forward local ports (-L8080:server2:80) and I want to avoid this.
Also I want the proxy to not proxy connections to anything in the server's internal network.
Is that achievable easily or not?
Are there other pitfalls I have to think about?
You can forbid local forwarding in
sshd_config, for example:It should not affect Dynamic forwarding/SOCKS proxy.
This needs to be set up somewhere else then in
ssh.As Jakuje mentioned, you can use options to forbid forwarding.
Restricting Outbound Traffic by Owner
You can you the iptables
ownermodule to allow specific groups and users outbound in theOUTPUTrules to specific locations such as your ssh gateway server, but then block everything else. The owner module can match on gid or uid. This method is also commonly used in conjunction with Tor.You can also use this to allow specific daemons to reach specific services. e.g. If using ldap, you can allow the ldap service account to query your ldap server and nothing else.
If using iptables in this manor, you may first want to allow (but log) traffic so that you know what would have been dropped.