Setup an ssh account that can only be used for a socks5 proxy

Question

I have an arch linux machine behind a firewall. I can open a port forwarding for the ssh port. I would like to create a user that can be used only for a socks proxy.

ssh -N -D 5000 user@server -p9000

5000 will be the local port the user uses for socks5 proxy

server:9000 is the ssh port of the server (the port forwarding)

-N means that a terminal shouldn't be opened. I will create the user with a default shell being /sbin/nologin.

Now the problem is that the user can forward local ports (-L8080:server2:80) and I want to avoid this.

Also I want the proxy to not proxy connections to anything in the server's internal network.

Is that achievable easily or not?

Are there other pitfalls I have to think about?

score 2 · Answer 1 · answered Jan 16 '16 at 11:06

2

You can forbid local forwarding in sshd_config, for example:

Match User your_user
  AllowTcpForwarding no
  PermitOpen none

It should not affect Dynamic forwarding/SOCKS proxy.

Also I want the proxy to not proxy connections to anything in the server's internal network.

This needs to be set up somewhere else then in ssh.

answered Jan 16 '16 at 11:06

Jakuje

9,145
2
40
44

When I add either of these lines, the `-D` proxy doesn't work anymore. But it seems to be a bit finicky (working 2 out of 3 times) anyhow on Windows (maybe some close_wait states idk) so take this with a grain of salt. However, what you can add is `Match User your_user \n PermitTTY no` as well as having the `/usr/sbin/nologin` shell set for the user. – Luc Mar 27 '21 at 17:22

score 2 · Accepted Answer · edited Apr 13 '17 at 12:14

2

As Jakuje mentioned, you can use options to forbid forwarding.

Restricting Outbound Traffic by Owner

Also I want the proxy to not proxy connections to anything in the server's internal network.

You can you the iptables owner module to allow specific groups and users outbound in the OUTPUT rules to specific locations such as your ssh gateway server, but then block everything else. The owner module can match on gid or uid. This method is also commonly used in conjunction with Tor.

You can also use this to allow specific daemons to reach specific services. e.g. If using ldap, you can allow the ldap service account to query your ldap server and nothing else.

If using iptables in this manor, you may first want to allow (but log) traffic so that you know what would have been dropped.

edited Apr 13 '17 at 12:14

Community

1

answered Jan 16 '16 at 15:41

Aaron

2,809
2
11
29

No problem. Good teamwork! :) – Aaron Jan 16 '16 at 16:25
1

And whose answer should be the correct one? – mist Jan 22 '16 at 12:13
Entirely up to you. Perhaps whichever of ours moved you closer to your goal. Or flip a coin. :-) – Aaron Jan 22 '16 at 15:17

Setup an ssh account that can only be used for a socks5 proxy

2 Answers2