Let us assume I have three machines
A – Server to which I am sshing to
B – Client from which I am sshing
C – Another Client in B's subnet
Now, I set up dynamic port forwarding for port 1235 by executing this in Client B
ssh -D 1235 a@A
where a is the username at server A.
Now, I can connect to this port 1235 only from B as it is bound to localhost. If I modify the command as
ssh -D C:1235 a@A
then only C can connect to the port 1235 of B and not B itself. There is a third option I could use, namely
ssh -D 0.0.0.0:1235 a@A
whereby both B and C can connect to the port 1235 of B, but so can all the other machines in the same subnet as B and C. What I really want is a way to bind the dynamic port to allow only B and C to connect to it and not any other machine. How can I achieve this?
Best Answer
Use the
-g
option with SSH and then configure firewall rules to only allow C to connect to the port.The command would then be: