Alright, let's work through this problem step by step. Since John isn't a local or LDAP user on your gateway, we can't rely on standard system user checks—instead, we'll combine SSH tunnel-specific access controls and firewall rules to lock down port 20022 exclusively for him.

1. Identify John's Tunnel Unique Identifier #

First, we need a way to uniquely spot John's tunnel connection to the gateway:

• If John connects from a static IP address, jot down that IP (e.g., 192.168.1.100)
• If he uses a dynamic IP, require him to use a unique SSH key pair for the tunnel. We'll use this key to validate his connection later.

2. Configure SSH Server Rules for Port 20022 #

Edit your gateway's SSH config file at /etc/ssh/sshd_config to create a dedicated rule set for port 20022:

# Keep your existing SSH port (if needed) and add 20022
Port 22
Port 20022

# Apply specific rules only to connections on port 20022
Match Port 20022
    # Deny all users by default (since John isn't a local/LDAP user)
    DenyUsers *
    # Option 1: Allow only John's static tunnel source IP
    AllowUsers john@192.168.1.100
    # Option 2: If using SSH keys, point to John's exclusive public key file
    # AuthorizedKeysFile /etc/ssh/john_tunnel_pubkey.pub
    # Force key auth (disable password login for extra security)
    PasswordAuthentication no
    PubkeyAuthentication yes

Note: If John's tunnel is a reverse forward (initiated from his end to the gateway), adjust the Match rule to Match Address 192.168.1.100 Port 20022 to tie the source IP and port together explicitly.

3. Add Firewall Rules as a Second Security Layer #

Use either iptables or ufw to block all non-John traffic to port 20022:

Using iptables: #

# Remove any existing rules for port 20022 (if present)
iptables -D INPUT -p tcp --dport 20022 -j ACCEPT 2>/dev/null
# Allow only John's tunnel source IP to access 20022
iptables -A INPUT -p tcp --dport 20022 -s 192.168.1.100 -j ACCEPT
# Block all other traffic to 20022
iptables -A INPUT -p tcp --dport 20022 -j DROP
# Save the rules (varies by distro: Ubuntu uses `netfilter-persistent save`, CentOS uses `iptables-save > /etc/sysconfig/iptables`)

Using ufw: #

# First, deny all default access to 20022
ufw deny 20022/tcp
# Allow John's tunnel source IP to connect to 20022
ufw allow from 192.168.1.100 to any port 20022 proto tcp
# Reload ufw to apply changes
ufw reload

4. Test the Configuration #

• Restart the SSH service to apply config changes: sudo systemctl restart sshd (or sudo service ssh restart on older systems)
• Have John test connecting via his tunnel: ssh -p 20022 your_gateway_ip—he should log in without issues
• Try connecting to port 20022 from another user/IP: you'll get a connection refused (firewall block) or SSH permission denied message

Key Notes to Remember #

• If John uses a dynamic IP, stick to SSH key authentication and store his public key in a dedicated file (don't mix it with other users' keys in authorized_keys)
• Match blocks in sshd_config override global settings, so place this port-specific rule after any global configs
• The firewall acts as a safety net—even if the SSH config has a gap, it will block unauthorized access to port 20022

内容的提问来源于stack exchange，提问作者sysmodder