[lug] firewall trickery

Ken MacFerrin lists at macferrin.com
Tue Jan 31 16:43:05 MST 2006

Daniel Webb wrote:
> Well, I realize the advanced routing list might be a better place for this,
> but I'm not a subscriber, so:
> Suppose I am port forwarding a bunch of ports to the SSH port using
> iptables mangle PREROUTING.  This is done so that each port can be
> assigned to a different user, and each user can then have a different
> qdisc class for the purposes of bandwidth allocation.
> Now I have a problem: how can I prevent users from using other users'
> ports since all the ports just forward to ssh?
> There are two ways I have thought of, and I don't really know if either
> is feasible:
> 1) Can userspace applications see the fwmark set by iptables?  If so, I
> could patch openssh to check that a fwmark is correct during connection
> establishment.
> 2) Set a fwmark based on PID owner match in the OUTPUT table,
> then do something with that.  Here's where I'm over my head again.
> The trickiness is due to the way packets traverse the kernel.  PID owner
> match only works on outgoing packets (obviously), but the port of the
> outgoing packet isn't un-NATed until *after* the mangle POSTROUTING
> table.  I know I've read that only some packets go through the nat
> POSTROUTING table, maybe just the first packet in a connection?  The
> more elegant solution would be to drop packets where owner PID and
> outgoing port don't match, but I'm not sure if there's anywhere I can do
> that.  Do any un-NATed packets go through the outgoing nat POSTROUTING
> table?
> I have read all the iptables docs I could find, and I can't find
> the answers to:
>   * Exactly which packets traverse nat POSTROUTING?
>   * Exactly where in the packet traversal diagram is port forwarding
>     undone?

I'm not sure on the iptables questions but another way to approach the 
problem could be to start multiple instances of sshd on the server, each 
with an individual config file listening on different ports.  You could 
then use the "AllowUsers" directive to restrict access to each instance 
by user.

More information about the LUG mailing list