Implementing Forwarding Access Controls

Beyond basic configuration, implementing comprehensive access controls ensures port forwarding serves legitimate purposes without exposing sensitive resources. Combine multiple control mechanisms for defense in depth.

Create forwarding authorization scripts:

#!/bin/bash
# /usr/local/bin/check-forwarding-auth
# Verify forwarding authorization before allowing

FORWARDING_REQUEST="$1"
USER="$2"
SOURCE_IP="$3"

# Log forwarding attempt
logger -t ssh-forwarding "User $USER from $SOURCE_IP requesting: $FORWARDING_REQUEST"

# Check against whitelist database
AUTHORIZED=$(mysql -u readonly -p'password' -D ssh_auth -e \
    "SELECT COUNT(*) FROM forwarding_rules 
     WHERE user='$USER' 
     AND destination='$FORWARDING_REQUEST' 
     AND active=1" -s -N)

if [ "$AUTHORIZED" -eq 1 ]; then
    logger -t ssh-forwarding "Authorized: $USER -> $FORWARDING_REQUEST"
    exit 0
else
    logger -t ssh-forwarding "Denied: $USER -> $FORWARDING_REQUEST"
    exit 1
fi

Implement time-based forwarding restrictions:

# Time-restricted forwarding wrapper
#!/bin/bash
# /usr/local/bin/time-restricted-ssh

CURRENT_HOUR=$(date +%H)
CURRENT_DAY=$(date +%u)

# Business hours only (Mon-Fri, 8AM-6PM)
if [ "$CURRENT_DAY" -ge 1 ] && [ "$CURRENT_DAY" -le 5 ]; then
    if [ "$CURRENT_HOUR" -ge 8 ] && [ "$CURRENT_HOUR" -lt 18 ]; then
        exec /usr/bin/ssh "$@"
    fi
fi

echo "SSH forwarding is only available during business hours"
exit 1