Iptables filtering question

Hi all.

Is it posible to use iptables or any other type of filtering for filtering
by user?

Let's explain. I want to allow only one user to access my pc using ssh. I
don't want to filter by using his ip address or any network stuff, but by
its user name (i.e. root, user1, user2) Is it possible?

TA.

On 2005-05-20, George <(E-Mail Removed)> wrote:
> Is it posible to use iptables or any other type of filtering for filtering
> by user?

No. The username isn't in any packets sent by the system.
Davide

--
Windows 95 has been operating for 2 hours, 32 minutes. No errors reported. CALL
GUINESS BOOK OF WORLD RECORDS NOW!

In article <(E-Mail Removed) >,
Davide Bianchi wrote:
> On 2005-05-20, George <(E-Mail Removed)> wrote:
>> Is it posible to use iptables or any other type of filtering for filtering
>> by user?
>
> No. The username isn't in any packets sent by the system.
> Davide

Oh yes it is possible. man iptables:

....
owner
This module attempts to match various characteristics of
the packet creator, for locally-generated packets. It is only
valid in the OUTPUT chain, and even this some packets
(such as ICMP ping responses) may have no owner, and hence never
match.
....

Combine that with state matching and inbound traffic can be covered as
well.

-Mikko

man sshd_config.
========
AllowUsers
This keyword can be followed by a list of user name
patterns,
separated by spaces. If specified, login is allowed only
for
user names that match one of the patterns. '*' and
'?' can be
used as wildcards in the patterns. Only user names are
valid; a
numerical user ID is not recognized. By default, login is
allowed for all users. If the pattern takes the form
USER@HOST
then USER and HOST are separately checked, restricting
logins to
particular users from particular hosts.
========

- Syam


George wrote:
> Hi all.
>
> Is it posible to use iptables or any other type of filtering for
filtering
> by user?
>
> Let's explain. I want to allow only one user to access my pc using
ssh. I
> don't want to filter by using his ip address or any network stuff,
but by
> its user name (i.e. root, user1, user2) Is it possible?
>
> TA.

Mikko Rapeli <(E-Mail Removed)> wrote in
news:d6kf4o$7d2$(E-Mail Removed):

> In article <(E-Mail Removed) >,
> Davide Bianchi wrote:
>> On 2005-05-20, George <(E-Mail Removed)> wrote:
>>> Is it posible to use iptables or any other type of filtering for
>>> filtering by user?
>>
>> No. The username isn't in any packets sent by the system.
>> Davide
>
> Oh yes it is possible. man iptables:
>
> ...
> owner
> This module attempts to match various characteristics of
> the packet creator, for locally-generated packets. It is only
> valid in the OUTPUT chain, and even this some packets
> (such as ICMP ping responses) may have no owner, and hence
> never match.
> ...
>
> Combine that with state matching and inbound traffic can be covered as
> well.
>
> -Mikko
>


This one is only for the OUTPUT chain so cannot use it with INPUT one (
Could you explain to me what should I do?

Thanks.

In article <Xns965CA72337A79newsgmxnet@213.0.184.81>, George wrote:
> This one is only for the OUTPUT chain so cannot use it with INPUT one (
> Could you explain to me what should I do?

Woops, I didn't read the original post - just the later one. For your
needs there really is no packet filtering that will do it. User names
are only transfered after the TCP connection is up which requires some
IP packet exchange for the three way handshake

OpenSSH instead has AllowUsers option. See man sshd_config for
details.

-Mikko

Thanks anyway I will have a try.

Mikko Rapeli <(E-Mail Removed)> wrote in


news:d6krf2$guu$(E-Mail Removed):

> In article <Xns965CA72337A79newsgmxnet@213.0.184.81>, George wrote:
>> This one is only for the OUTPUT chain so cannot use it with INPUT one
>> ( Could you explain to me what should I do?
>
> Woops, I didn't read the original post - just the later one. For your
> needs there really is no packet filtering that will do it. User names
> are only transfered after the TCP connection is up which requires some
> IP packet exchange for the three way handshake
>
> OpenSSH instead has AllowUsers option. See man sshd_config for
> details.
>
> -Mikko
>



--
Saludos a todos
#
# Contra el terrorismo
#