Can someone please help me to understand why we should set ssh iptables INPUT rule destination port instead of source port?
why
SSH - iptables -A INPUT -p tcp -s tunnel1private_IP –dport 22 -i eth1 -j ACCEPT

not
iptables -A INPUT -p tcp -s tunnel1private_IP –sport 22 -i eth1 -j ACCEPT

because for http or https, we set:
iptables -A INPUT -p tcp -s <some-ip-address> –sport 80 -j ACCEPT

not
iptables -A INPUT -p tcp -s <some-ip-address> –dport 80 -j ACCEPT

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
1 answer

INPUT is a chain that deals with incoming requests. So you have to shift your perspective to that of someone on the receiving end - the SSH server. I get an external packet from SRCIPA, SRCPORTA to connect to me at DSTIPB, DSTPORTB. So when you have this INPUT rule:

SSH - iptables -A INPUT -p tcp -s tunnel1private_IP --dport 22 -i eth1 -j ACCEPT

You care about where this packet is coming, which is SRCIPA (tunnel1privateIP) and what port it wants to connect to DSTPORT_B (22).

Why would you care about the SRCPORTA at all? SRCPORTA is a random non-privileged port used by the SSH client to initiate communication with the DSTPORTB - the SSH server.

Once you shift your mind perspective and get some practice with it, it’ll start clicking.

Submit an Answer