如何仅允许到端口的隧道连接?
我想让 git-daemon 通过永久的 ssh 隧道。我完成了这个任务。如何阻止与 GIT_DAEMON 端口(在我的例子中为 9418)的任何远程非隧道连接?
我已经在 iptables 中尝试过简单的规则(阻止除 localhost 之外的所有内容):
$ iptables -A INPUT -p tcp -d ! localhost --destination-port 9418 -j DROP
但它也会阻止隧道(因为它保存源 IP 地址)。如果我还有一台防火墙主机,可以通过阻止到此端口的任何远程连接来简单地完成,但我需要这台主机来完成这项工作。
隧道通过以下两种方式之一创建:
对于 Windows:
plink.exe -N -i <key> -L 127.0.0.1:9418:192.168.1.69:9418 [email protected]
对于 Linux:
ssh -N -i <key> -L 127.0.0.1:9418:192.168.1.69:9418 [email protected]
I'd like to make a git-daemon go through a permanent ssh tunnel. I accomplished this task. How do I block any remote untunneled connection to the GIT_DAEMON port (9418 in my case)?
I already tried simple rules in iptables (block everything except localhost):
$ iptables -A INPUT -p tcp -d ! localhost --destination-port 9418 -j DROP
But it also blocks a tunnel (since it saves source ip address). If I have one more host for firewall it can be simply done by blocking any remote connection to this port, but I need this host to do this job.
The tunnel is created in one of two ways:
For Windows:
plink.exe -N -i <key> -L 127.0.0.1:9418:192.168.1.69:9418 [email protected]
For Linux:
ssh -N -i <key> -L 127.0.0.1:9418:192.168.1.69:9418 [email protected]
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
实际上,您可以在根本不使用 iptables 的情况下实现此目的,只需将 git-daemon 绑定到环回接口即可,例如。
这将使它只能从本地主机连接,并且不需要 root 权限来设置。
You can actually achieve this without using iptables at all, by simply making
git-daemonbind to the loopback interface, eg.This will make it so it is only connectable from localhost, and does not require root privileges to set up.
您可以尝试这个(未经测试):
使用
iptables -L说:编辑
这(可能)是您的隧道应该如何设置:
< strong>重要的是后半部分是
127.0.0.1而不是普通 IPYou might try this (untested):
Using that
iptables -Lsays:EDIT
This is (probably) how your tunnel should be setup:
It's important that the second half is
127.0.0.1and NOT a normal IP