you cannot do this as suggested as the previous list members replied. However, there are other means like openning an http server on the ssh machine and adding a script that when the page opens requires a user and password. this script will open iptables for that ip for the remainder of that session and then will discover it is closed and remove that permission in the future.
Another possiblity is to rewrite some code and use packet injection to circumvent ssh but I am not sure it would work since ssh encrypts the messages. so what you are left here is configuration of ssh(if there are any) and rewriting ssh code. Yet another possiblity is to open a caged root account using another thread of ssh and allow portforwarding to a person who have a specific password or will do something in that account that will trigger a script that will allow him to portforward to that machine. (this is what I do for other reasons) yet another possibility is to allow only connections from a trusted server/s. i.e. if all your users are from the technion tx, then allow only connections from there. Regards, tzahi. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shachar Shemesh Sent: Tuesday, April 27, 2004 6:52 PM To: Noam Meltzer Cc: Linux-IL mailing list Subject: Re: iptables AI (application intelligence) Noam Meltzer wrote: > Hi, > I was wondering if any1 knows if iptables has the ability to implement > "application intelligence"? The short answer is "no". A slightly longer answer is that, if you have a proxy software that can act as a transparent proxy, you can direct all traffic to it using IPTables. This, esentially, what firewalls that do have application knowledge usually do anyways. > My sepcific interest is to implement something like this: > I have a host, connected to the internet, and it runs iptables, while > ssh's tcp port is the only one opened. > Now, I want that instead of opening this port, every communication to > that port will be dropped, unless the computer which tries to connect > to it, will try to connect with a specific user. First of all, what you just said makes no sense. SSH will pass somewhere around 8 or 10 TCP packets around before the username is sent. You cannot drop the traffic until these packets have been sent, because before that NOONE knows who the user is. Check Point has a mechanism by which they identify the user by external means. This allows exactly what you are looking for, assuming you are willing to install additional (typically Windows) software on the machine you connect from, or contact another port and identify yourself first. > > example: > the user "haim" is allowed to my machine, and others ain't. > > doing: > remote-machine> ssh [EMAIL PROTECTED] > will be dropped by iptables. > doing: > remote-machine> ssh [EMAIL PROTECTED] > will be allowed by iptables. Here you have another problem. SSH is an encrypted protocol. IPTables has no way of known WHAT the username passed was. I'm afraid you will have to play around with SSH's config in order to achieve this goal. > 10x, > Noam Meltzer Shachar -- Shachar Shemesh Lingnu Open Source Consulting http://www.lingnu.com/ ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED] ================================================================To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]