On a Linux cloud machine, I want to set up a learning station for beginners (pubnix/pubunix).
How can I block all internet except for incoming SSH (ssh user@cloudmachine) and except for SSH local port fowarding (ssh -L 8080:localhost:8080 user@cloudmachine, including scp/rsync) for non-root users?
sudo users (me) on the cloud machine should have full access (sudo apt-get install someprogram).
Regular users (my friends) should only be able to use the programs I have pre-installed for them (jq info.json, but curl https://example.com should fail/time out because of no internet, and curl localhost should still work because it doesn't leave the network).
They will send me their public SSH keys and I will set up their home directories.
This is what I have so far:
# allow incoming SSH sessions (ssh user@cloudmachine)
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
# allow local port forwarding (ssh -L 8080:localhost:8080 user@cloudmachine)
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# allow required ICMP packets
iptables -A INPUT -p icmp -j ACCEPT
# allow all packets for root
iptables -A OUTPUT -m owner --uid-owner root -j ACCEPT
# drop all other packets
iptables -P INPUT DROP
Is this enough to set it up as described above?
ssh -L 8080:localhost:8080 user@cloudmachinelooks like a very peculiar way to provide authentication for a web resource.