On 2006-09-21, Sylvain Ferriol <sferriol@imag.fr> wrote:
> Todd H. a écrit :
[...]
>> If you want to allow a forward connection from internet to intranet on
>> the gateway to set up that port forwarding, you can't prohibit "a user
>> from internet can not login the ssh_gateway."
> why ?
>>
>> Or are you saying you want to allow this port forwarding, but no
>> interactive login shells from internet users?
>>
> yes

There's a couple of new features in OpenSSH 4.4 (and newer) that could
here: "PermitOpen" which controls which portforwards are allowed and
"Match" which can apply those restrictions to a subset of connections.

So assuming your local net is 192.168.0.0/24 and you wanted to allow any
commands or forwards from connections originating from it, this would
be something like

Match Address 192.168.0.*
PermitOpen any

Match Address *
PermitOpen 1.2.3.4:44444

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.