Detecting SSH tunnels on a linux firewall

Matthew Walker rorith at
Wed Jan 10 10:13:58 MST 2007

On Wed, January 10, 2007 10:11 am, Dave Long wrote:
> Is it possible to detect SSH tunnels traveling through a Linux
> firewall (iptables).  In other words, how do I detect normal ssh
> communication versus http traffic going through SSH?
> My initial thoughts were that normal SSH traffic would have a specific
> connection and packet rate while other traffic like HTTP going through
> SSH would have a much different connection rate.
> Anyway, I would like to know other ideas.

I'm reasonably certain there's no way to tell. It is, after all,
encrypted. It looks like a normal SSH connection, with traffic flowing
over it. No way to tell what that traffic is.

Matthew Walker
Kydance Hosting & Consulting
LAMP Specialist

More information about the PLUG mailing list