我确实找到了很多关于如何限制对某些 IP 地址的传入访问的信息,但在另一端(出站端)却没有这样做。当我有一个 SOCKS 5 代理时。我主要在寻找一种在 openssh (ssh_config) 中执行此操作的方法,但如果不可能,则使用 IP-Tables。
答案1
假设我已经通过了标准的 OpenSSH 服务器文档最接近的看起来是许可证开放选项。
PermitOpen Specifies the destinations to which TCP port forwarding is per‐ mitted. The forwarding specification must be one of the fol‐ lowing forms: PermitOpen host:port PermitOpen IPv4_addr:port PermitOpen [IPv6_addr]:port Multiple forwards may be specified by separating them with whitespace. An argument of any can be used to remove all re‐ strictions and permit any forwarding requests. An argument of none can be used to prohibit all forwarding requests. The wildcard ‘*’ can be used for host or port to allow all hosts or ports respectively. Otherwise, no pattern matching or address lookups are performed on supplied names. By default all port forwarding requests are permitted.
要限制特定用户的转发,你可以使用类似
Match User user1 ...
PermitOpen ...
尝试使用 iptables 执行此操作不会为您提供所需的控制,因为所有流量看起来都来自 openssh 服务器进程和代理机器,无法识别哪个用户请求了它。
答案2
我确实找到了另一个答案,至少知道如何做NF表。这将 ssh 用户 user1 限制为一个公共 IP,但可以添加更多。不允许的调用将记录在 syslog 中(/var/log/syslog)
nft add rule ip filter OUTPUT meta skuid user1 ip daddr <public Ip of server> tcp dport 80 accept
nft add rule ip filter OUTPUT meta skuid user1 ip daddr <public Ip somwhere> tcp dport 80 accept
nft add rule ip filter OUTPUT meta skuid user1 ip daddr <public Ip of server> tcp dport 443 accept
nft add rule ip filter OUTPUT meta skuid user1 ip daddr <public Ip somwhere> tcp dport 443 accept
nft add rule ip filter OUTPUT meta skuid user1 tcp dport 80 log prefix \"Not allowed call at port 80 \" drop
nft add rule ip filter OUTPUT meta skuid user1 tcp dport 443 log prefix \"Not allowed call at port 443 \" drop