Share

Question

Can someone please help me to understand why we should set ssh iptables INPUT rule destination port instead of source port?
why
SSH - iptables -A INPUT -p tcp -s tunnel1private_IP –dport 22 -i eth1 -j ACCEPT

not
iptables -A INPUT -p tcp -s tunnel1private_IP –sport 22 -i eth1 -j ACCEPT

because for http or https, we set:
iptables -A INPUT -p tcp -s <some-ip-address> –sport 80 -j ACCEPT

not
iptables -A INPUT -p tcp -s <some-ip-address> –dport 80 -j ACCEPT

Answer 1

unixynet September 26, 2018

Accepted Answer

INPUT is a chain that deals with incoming requests. So you have to shift your perspective to that of someone on the receiving end - the SSH server. I get an external packet from SRCIPA, SRCPORTA to connect to me at DSTIPB, DSTPORTB. So when you have this INPUT rule:

SSH - iptables -A INPUT -p tcp -s tunnel1private_IP --dport 22 -i eth1 -j ACCEPT

You care about where this packet is coming, which is SRCIPA (tunnel1privateIP) and what port it wants to connect to DSTPORT_B (22).

Why would you care about the SRCPORTA at all? SRCPORTA is a random non-privileged port used by the SSH client to initiate communication with the DSTPORTB - the SSH server.

Once you shift your mind perspective and get some practice with it, it’ll start clicking.

Reply

mefav September 29, 2018

thanks for the explanation. I think previously I don’t really get how ssh work.

Answer 2

mefav September 29, 2018

thanks for the explanation. I think previously I don’t really get how ssh work.

SSH iptables rule

Leave a Comment

Share

Share your Question

SSH iptables rule

Leave a Comment

Related Questions

Almost there!