limit outgoing connections to certain users

Hello,

in our hospital we have companies that must connect to computers for
support.
We want to limit their access to certain machine, but we have the
following problem.
We can limit on the firewall to what machine they can connect, but
when they are connected to this server via ssh there is no way to
prevent them trying to connect to other machines.

Is there a way to limit outgoing network trafic from a linux machine
per user or, even better, is there a way to limit a outgoning
connection depending from the place the ingoing ssh comes from ?

Thanks
Andreas

On 17 Apr, 07:09, amoroder <amoro...@sb-brixen.it> wrote:
> Hello,
>
> in our hospital we have companies that must connect to computers for
> support.
> We want to limit their access to certain machine, but we have the
> following problem.
> We can limit on the firewall to what machine they can connect, but
> when they are connected to this server via ssh there is no way to
> prevent them trying to connect to other machines.
>
> Is there a way to limit outgoing network trafic from a linux machine
> per user or, even better, is there a way to limit a outgoning
> connection depending from the place the ingoing ssh comes from ?
>

Not simply.

The right way to do it would be to force key based (no password)
logins and don't put the public key on machines they shouldn't access.

Alternatively (but this is rather messy and if none done right easily
subvertable):

You could run identd on all the servers and create NIS maps for the
allowed/not allowed users then block SSH access using TCP wrappers.

HTH

C.

amoroder <amoroder@sb-brixen.it> wrote:
> in our hospital we have companies that must connect to computers
> for support. We want to limit their access to certain machine, but
> we have the following problem. We can limit on the firewall to
> what machine they can connect, but when they are connected to this
> server via ssh there is no way to prevent them trying to connect to
> other machines.
>
> Is there a way to limit outgoing network trafic from a linux
> machine per user or, even better, is there a way to limit a
> outgoning connection depending from the place the ingoing ssh comes
> from ?

Assuming they login as an identifiable user / group you can use the
owner match in the OUTPUT table to limit access.

From the man page

owner
This module attempts to match various characteristics of the
packet creator, for locally-generated packets. It is only
valid in the OUTPUT chain, and even this some packets (such as
ICMP ping responses) may have no owner, and hence never match.

--uid-owner userid
Matches if the packet was created by a process with the
given effective user id.

--gid-owner groupid
Matches if the packet was created by a process with the
given effective group id.

--pid-owner processid
Matches if the packet was created by a process with the
given process id. (Please note: This option requires
kernel support that might not be available in official
Linux kernel sources or Debian's packaged Linux kernel
sources. And if support for this option is available
for the specific Linux kernel source ver- sion, that
support might not be enabled in the current Linux kernel
binary.)

--sid-owner sessionid
Matches if the packet was created by a process in the
given ses- sion group. (Please note: This option
requires kernel support that might not be available in
official Linux kernel sources or Debian's packaged Linux
kernel sources. And if support for this option is
available for the specific Linux kernel source ver-
sion, that support might not be enabled in the current
Linux kernel binary.)

--cmd-owner name
Matches if the packet was created by a process with the
given command name. (Please note: This option requires
kernel support that might not be available in official
Linux kernel sources or Debian's packaged Linux kernel
sources. And if support for this option is available
for the specific Linux kernel source ver- sion, that
support might not be enabled in the current Linux kernel
binary.)

NOTE: pid, sid and command matching are broken on SMP

--
Nick Craig-Wood <nick@craig-wood.com> -- http://www.craig-wood.com/nick

On 21 Apr, 13:59, "C." <colin.mckin...@gmail.com> wrote:
> On 17 Apr, 07:09, amoroder <amoro...@sb-brixen.it> wrote:
>
> > Hello,
>
> > in our hospital we have companies that must connect to computers for
> > support.
> > We want to limit their access to certain machine, but we have the
> > following problem.
> > We can limit on the firewall to what machine they can connect, but
> > when they are connected to this server via ssh there is no way to
> > prevent them trying to connect to other machines.
>
> > Is there a way to limit outgoing network trafic from a linux machine
> > per user or, even better, is there a way to limit a outgoning
> > connection depending from the place the ingoing ssh comes from ?
>
> Not simply.
>
> The right way to do it would be to force key based (no password)
> logins and don't put the public key on machines they shouldn't access.
>
> Alternatively (but this is rather messy and if none done right easily
> subvertable):
>
> You could run identd on all the servers and create NIS maps for the
> allowed/not allowed users then block SSH access using TCP wrappers.
>
> HTH
>
> C.

On reflection, a better way would be to use the AllowGroups ssh config
directive and setup groups for each machine (or groups of machines).
But that enforces what credentials they supply to the target machine -
not what credentials they have at the client end.

C.