SSH iptables rule

September 26, 2018 502 views
Firewall Ubuntu

Can someone please help me to understand why we should set ssh iptables INPUT rule destination port instead of source port?
why
SSH - iptables -A INPUT -p tcp -s tunnel1private_IP –dport 22 -i eth1 -j ACCEPT

not
iptables -A INPUT -p tcp -s tunnel1private_IP –sport 22 -i eth1 -j ACCEPT

because for http or https, we set:
iptables -A INPUT -p tcp -s <some-ip-address> –sport 80 -j ACCEPT

not
iptables -A INPUT -p tcp -s <some-ip-address> –dport 80 -j ACCEPT

1 Answer
unixynet September 26, 2018
Accepted Answer

INPUT is a chain that deals with incoming requests. So you have to shift your perspective to that of someone on the receiving end - the SSH server. I get an external packet from SRCIPA, SRCPORTA to connect to me at DSTIPB, DSTPORTB. So when you have this INPUT rule:

SSH - iptables -A INPUT -p tcp -s tunnel1private_IP --dport 22 -i eth1 -j ACCEPT

You care about where this packet is coming, which is SRCIPA (tunnel1privateIP) and what port it wants to connect to DSTPORT_B (22).

Why would you care about the SRCPORTA at all? SRCPORTA is a random non-privileged port used by the SSH client to initiate communication with the DSTPORTB - the SSH server.

Once you shift your mind perspective and get some practice with it, it’ll start clicking.

Have another answer? Share your knowledge.