I am trying to set up an SSH account on my server for someone, and I only want to give them access to tunneling internet traffic. I set their user's "shell" to /bin/true, so now when they SSH (and use -N), the tunnel works with no shell (this is what I want).
Now, I was wondering if there was a way to only allow web browsing traffic through (and not bittorrent, email, etc). In sshd_config, I tried:
PermitTunnel yes
PermitOpen any:80
But that doesn't allow any traffic through for some reason. Is there a way I can make it so the person can only use, for example, a web browser through my tunnel?
Thanks, I can supply any information you need.
The server is running Fedora 15, and I know how to use Linux so I don't need baby instructions.
PS: Additionally, is it possible to log the activity of an SSH tunnel? Like, to see what information goes through it? I know /var/log/secure has the login logs (although, with /bin/true instead of /bin/bash, logins don't show up), but not activity logs.
Best Answer
The
PermitOpenacceptsanywhen its the only argument. Meaning it acceptsPermitOpen any.The only way I can think of to do this would be to use an iptables rule.
This would reject any outbound traffic from user with UID=1000 that isn't going to port 80