Preventing Port Forwarding Abuse

Port forwarding capabilities can be abused to bypass security controls, exfiltrate data, or create backdoors. Implement preventive measures to detect and block unauthorized forwarding attempts.

Deploy iptables rules to restrict forwarding:

#!/bin/bash
# restrict-ssh-forwarding.sh
# Limit SSH forwarding with iptables

# Mark packets from SSH forwarding
iptables -t mangle -A OUTPUT -m owner --uid-owner sshd -j MARK --set-mark 0x1

# Allow specific forwarded destinations
iptables -A FORWARD -m mark --mark 0x1 -d 10.0.1.0/24 -j ACCEPT  # Internal DB subnet
iptables -A FORWARD -m mark --mark 0x1 -d 10.0.2.0/24 -j ACCEPT  # Internal web subnet

# Log and drop other forwarding attempts
iptables -A FORWARD -m mark --mark 0x1 -j LOG --log-prefix "SSH-FORWARD-DENIED: "
iptables -A FORWARD -m mark --mark 0x1 -j DROP

# Rate limit forwarding connections
iptables -A FORWARD -m mark --mark 0x1 -m state --state NEW \
    -m hashlimit --hashlimit-above 10/min --hashlimit-name ssh-forward \
    -j DROP

Implement application-layer forwarding controls:

# /usr/local/bin/forwarding-wrapper
#!/bin/bash
# Wrapper script for controlling forwarded connections

FORWARD_TYPE="$1"
SOURCE="$2"
DESTINATION="$3"

# Validate forwarding request
case "$FORWARD_TYPE" in
    "local")
        # Check if destination is allowed
        if [[ "$DESTINATION" =~ ^(database\.internal|cache\.internal):[0-9]+$ ]]; then
            logger -t ssh-forward "Approved local forward: $DESTINATION"
        else
            logger -t ssh-forward "Denied local forward: $DESTINATION"
            exit 1
        fi
        ;;
    "remote")
        # Remote forwarding requires additional approval
        logger -t ssh-forward "Remote forward requires approval: $SOURCE -> $DESTINATION"
        exit 1
        ;;
esac

# Execute forwarding with monitoring
exec /usr/bin/ssh-forward-monitor "$@"