How can I stop users being able to access services bound to localhost via SSH port forwarding?

ssh security

Solution 1:

I haven't tried it myself, but the --uid-owner and --gid-owner options for iptables rules appears to let you restrict connections based on UID and GID. In other words, specific users can be prevented from making outbound connections on a given interface.

So maybe something like this (not tested), to block all access to loopback:

iptables -A OUTPUT -o lo -m owner --uid-owner {USERNAME} -j REJECT

... or if your locked-down accounts are all in the same group:

iptables -A OUTPUT -o lo -m owner --gid-owner {GROUPNAME} -j REJECT

If you need something more granular, this nixCraft post has an example of how to allow some ports, but not others.

Related

Why does Software Update and Add/Remove Software claim all packages are untrusted?
How to allow non-admin users to run a VBS script that requires higher privileges?
Percentile of order in excel pivot-table
Konsole page up/down keyboard shortcut
Poor home office network performance
What is the "Intel Turbo Boost Technology Driver" for?
Accessing the root directory through Windows Explorer FTP?
What is this NETFXRepair.exe in my %windir%\Microsoft.NET directory?
How to disable middle button showing a page thumbnail in Adobe Reader?
unable to switch TTY in arch linux
I don't want Flash, how do I make IE stop asking about installing it?
View page source in Chrome is extremely slow