On 17 Apr, 07:09, amoroder <amoro...@sb-brixen.it> wrote:
> Hello,
>
> in our hospital we have companies that must connect to computers for
> support.
> We want to limit their access to certain machine, but we have the
> following problem.
> We can limit on the firewall to what machine they can connect, but
> when they are connected to this server via ssh there is no way to
> prevent them trying to connect to other machines.
>
> Is there a way to limit outgoing network trafic from a linux machine
> per user or, even better, is there a way to limit a outgoning
> connection depending from the place the ingoing ssh comes from ?
>

Not simply.

The right way to do it would be to force key based (no password)
logins and don't put the public key on machines they shouldn't access.

Alternatively (but this is rather messy and if none done right easily
subvertable):

You could run identd on all the servers and create NIS maps for the
allowed/not allowed users then block SSH access using TCP wrappers.

HTH

C.