Recipe 3.7 Restricting Access by Remote Users
You want only particular remote users to have access to a TCP service. You cannot predict the originating
Block the service's incoming TCP port with a firewall rule [Recipe 2.6], run an SSH server, and permit users to tunnel in via SSH port forwarding. Thus, SSH authentication will permit or deny access to the service. Give your remote users SSH access by public key.
For example, to reach the news server (TCP port 119) on your site
, a remote
myclient$ ssh -f -N -L 23456:server.example.com:119 server.example.com
and then connect to the tunnel, for example with the tin newsreader:
myclient$ export NNTPSERVER=localhost myclient$ tin -r -p 23456
SSH tunneling, or port forwarding, redirects a TCP connection to flow through an SSH client and server in a mostly-transparent manner.
[Recipe 6.14] This tunnel connects from a local port to a remote port, encrypting traffic on
Figure 3-2. Tunneling NNTP with SSH
By blocking a service's port (119) to the outside world, you have prevented all remote access to that port. But SSH
Alternatively, investigate whether your given service has its own user authentication. For example,
3.7.4 See Also
ssh(1), sshd(8), tin(1).
Recipe 3.8 Restricting Access by Remote