you cannot do this as suggested as the previous list members replied.
However, there are other means like openning an http server on the ssh
machine and adding a script that when the page opens requires a
user and password. this script will open iptables for that ip for the
remainder of
that session and then will discover it is closed and remove that permission
in the future.
Another possiblity is to rewrite some code and use packet injection
to circumvent ssh but I am not sure it would work since ssh
encrypts the messages.
so what you are left here is configuration of ssh(if there are any)
and rewriting ssh code.
Yet another possiblity is to open a caged root account using another
thread of ssh and allow portforwarding to a person who have a specific
password or will do something in that account that will trigger a script
that
will allow him to portforward to that machine.
(this is what I do for other reasons)
yet another possibility is to allow only connections from a trusted
server/s.
i.e. if all your users are from the technion tx, then allow only connections
from there.
Regards,
tzahi.
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Shachar Shemesh
Sent: Tuesday, April 27, 2004 6:52 PM
To: Noam Meltzer
Cc: Linux-IL mailing list
Subject: Re: iptables AI (application intelligence)
Noam Meltzer wrote:
> Hi,
> I was wondering if any1 knows if iptables has the ability to implement
> "application intelligence"?
The short answer is "no".
A slightly longer answer is that, if you have a proxy software that can
act as a transparent proxy, you can direct all traffic to it using
IPTables. This, esentially, what firewalls that do have application
knowledge usually do anyways.
> My sepcific interest is to implement something like this:
> I have a host, connected to the internet, and it runs iptables, while
> ssh's tcp port is the only one opened.
> Now, I want that instead of opening this port, every communication to
> that port will be dropped, unless the computer which tries to connect
> to it, will try to connect with a specific user.
First of all, what you just said makes no sense. SSH will pass somewhere
around 8 or 10 TCP packets around before the username is sent. You
cannot drop the traffic until these packets have been sent, because
before that NOONE knows who the user is.
Check Point has a mechanism by which they identify the user by external
means. This allows exactly what you are looking for, assuming you are
willing to install additional (typically Windows) software on the
machine you connect from, or contact another port and identify yourself
first.
>
> example:
> the user "haim" is allowed to my machine, and others ain't.
>
> doing:
> remote-machine> ssh [EMAIL PROTECTED]
> will be dropped by iptables.
> doing:
> remote-machine> ssh [EMAIL PROTECTED]
> will be allowed by iptables.
Here you have another problem. SSH is an encrypted protocol. IPTables
has no way of known WHAT the username passed was. I'm afraid you will
have to play around with SSH's config in order to achieve this goal.
> 10x,
> Noam Meltzer
Shachar
--
Shachar Shemesh
Lingnu Open Source Consulting
http://www.lingnu.com/
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with the word
"unsubscribe" in the message body, e.g., run the command echo unsubscribe |
mail [EMAIL PROTECTED]
================================================================To unsubscribe, send
mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
