Netfilter/tc rule to separate SSH and SFTP traffic?

Netfilter/tc rule to separate SSH and SFTP traffic?

2

2

When I connect to my server (RasPI 2 with Raspbian) remotely, I want my interactive SSH sessions to always have priority over any running SFTP sessions. Also, SFTP sessions should have less priority than e.g. SMB traffic in the local network.

The server is behind a dd-wrt router, in turns connected to a cable modem with 5Mbps uplink bandwidth.

I understand I should use iptables to mark the outgoing packets to different classes and tc to put them in different classes. But how can I tell iptables to discern SSH packets from SFTP packets and mark them differently? In the scenario above they come from the same port, the process name is the same (sshd), the user is the same and also the destination IP address.

The sshd daemon is using its internal SFTP server to use the ChrootDirectory feature.

ris8_allo_zen0

Posted 2015-08-16T12:29:00.687

Reputation: 183

Answers

1

No, it is not possible with this setup. sftp is subsystem of sshd and the sftp commands are just encapsulated in ssh protocol, which has on the server side process called sftp-server instead of bash, which is common for normal ssh sessions.

Possibility would be to run another instance of sshd service with sftp subsystem on different port, which you can then simply differentiate in iptables by port. You can even make the another service sftp-only by setting ForcedCommand /path/to/sftp-server to not accept normal ssh sessions.

Jakuje

Posted 2015-08-16T12:29:00.687

Reputation: 7 981

Asked: 2015-08-16T12:29:00.687

Viewed: 556 times

Active: 2015-08-16T15:02:05.607