Configuring Secure Port Forwarding Policies

1 min read Data Protection & Compliance

Configuring Secure Port Forwarding Policies

Implementing secure port forwarding requires careful server configuration to prevent unauthorized tunnel creation while enabling legitimate use cases. Default permissive settings often allow unrestricted forwarding, creating potential security vulnerabilities.

Configure global forwarding restrictions in sshd_config:

# /etc/ssh/sshd_config
# Restrictive port forwarding configuration

# Disable all forwarding by default
AllowTcpForwarding no
AllowAgentForwarding no
AllowStreamLocalForwarding no
GatewayPorts no

# X11 forwarding (usually disabled for security)
X11Forwarding no
X11UseLocalhost yes

# Permit specific forwarding per user/group
Match Group developers
    AllowTcpForwarding yes
    PermitOpen localhost:3306 localhost:5432
    
Match Group admins
    AllowTcpForwarding yes
    # Allow any destination for admins
    PermitOpen any

Match User monitoring
    AllowTcpForwarding local
    # Only allow specific monitoring ports
    PermitOpen nagios.internal:5666 prometheus.internal:9090

Match User reverse-proxy
    AllowTcpForwarding remote
    GatewayPorts clientspecified

Implement granular forwarding controls with PermitOpen:

# Restrict forwarding destinations
# In sshd_config or Match blocks

# Allow specific hosts and ports
PermitOpen database.internal:3306 cache.internal:6379

# Allow port ranges
PermitOpen webserver.internal:8000-8999

# Allow multiple destinations
PermitOpen db1.internal:5432 db2.internal:5432 localhost:3000

# Combine with network restrictions
Match Address 10.0.0.0/8
    AllowTcpForwarding yes
    PermitOpen *.internal:* localhost:*