How to allow only tunneled connections to port?

Question

I'd like to make a git-daemon go through a permanent ssh tunnel. I accomplished this task. How do I block any remote untunneled connection to the GIT_DAEMON port (9418 in my case)?

I already tried simple rules in iptables (block everything except localhost):

$ iptables -A INPUT -p tcp -d ! localhost --destination-port 9418 -j DROP

But it also blocks a tunnel (since it saves source ip address). If I have one more host for firewall it can be simply done by blocking any remote connection to this port, but I need this host to do this job.

The tunnel is created in one of two ways:

For Windows:

plink.exe -N -i <key> -L 127.0.0.1:9418:192.168.1.69:9418 [email protected]

For Linux:

ssh -N -i <key> -L 127.0.0.1:9418:192.168.1.69:9418 [email protected]

Answer 1

You can actually achieve this without using iptables at all, by simply making git-daemon bind to the loopback interface, eg.

git daemon --listen=127.0.0.1

This will make it so it is only connectable from localhost, and does not require root privileges to set up.

Answer 2

You might try this (untested):

# accept localhost
iptables -A INPUT -p tcp -d localhost --destination-port 9418 -j ACCEPT

# send everyone else packing
iptables -A INPUT -p tcp --destination-port 9418 -j DROP

Using that iptables -L says:

ACCEPT     tcp  --  anywhere             localhost.localdomain tcp dpt:git
DROP       tcp  --  anywhere             anywhere            tcp dpt:git

EDIT

This is (probably) how your tunnel should be setup:

ssh -N -i <key> -L 127.0.0.1:9418:127.0.0.1:9418 [email protected]

It's important that the second half is 127.0.0.1 and NOT a normal IP