Block SSH tunneling to IP, allow only for certain users

ssh linux ssh-tunnel

I need to setup SSH to block all access to a certain IP on port 555. Only a small group of users should be allowed to tunnel to that IP. Currently I have the following stuff in my sshd_config

Match User bob
        PermitOpen 1.2.3.4:555 5.6.7.8:555

The question I have is, how do I deny all other users access to this tunnel? I dont see a denyopen, or restrictopen thing in sshd_config.


You could do it with a firewall on the SSH box:

iptables -A OUTPUT -p tcp -d 1.2.3.4 --dport 555 -m owner --uid-owner bob -j ACCEPT
iptables -A OUTPUT -p tcp -d 1.2.3.4 --dport 555                          -j REJECT

Disable TcpForwarding for all users by default:

AllowTcpForwarding No

And make an exception for user bob:

Match User bob
        AllowTcpForwarding Yes
        PermitOpen 1.2.3.4:555 5.6.7.8:555

Related

Who has my domain?
Danger of Scavenging Stale Resource Records In _msdcs Zone?
how to enable ls highlighting in Debian
How do I get my server off the ivmSIP/24 blacklist?
How is CPU processing speed reported in /proc/cpuinfo?
FTP: How to get rid of "WARNING! 1 bare linefeeds received in ASCII mode" message?
What happens when I kill an alter table thread that is still processing?
Send an email on reboot [duplicate]
How to run fsck on guest VMs from KVM
Can a Second Domain Controller, with buggy hard drive hardware, cause a corruption to Active Directory?
Setting the hostname in the linux shell prompt
Wireless technology - which is better: more single radio APs or less dual radio APs?