Question

SSH iptables rule

Posted September 26, 2018 671 views
Ubuntu Firewall

Can someone please help me to understand why we should set ssh iptables INPUT rule destination port instead of source port?
why
SSH - iptables -A INPUT -p tcp -s tunnel1private_IP –dport 22 -i eth1 -j ACCEPT

not
iptables -A INPUT -p tcp -s tunnel1private_IP –sport 22 -i eth1 -j ACCEPT

because for http or https, we set:
iptables -A INPUT -p tcp -s <some-ip-address> –sport 80 -j ACCEPT

not
iptables -A INPUT -p tcp -s <some-ip-address> –dport 80 -j ACCEPT

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

1 answer

INPUT is a chain that deals with incoming requests. So you have to shift your perspective to that of someone on the receiving end - the SSH server. I get an external packet from SRCIPA, SRCPORTA to connect to me at DSTIPB, DSTPORTB. So when you have this INPUT rule:

SSH - iptables -A INPUT -p tcp -s tunnel1private_IP --dport 22 -i eth1 -j ACCEPT

You care about where this packet is coming, which is SRCIPA (tunnel1privateIP) and what port it wants to connect to DSTPORT_B (22).

Why would you care about the SRCPORTA at all? SRCPORTA is a random non-privileged port used by the SSH client to initiate communication with the DSTPORTB - the SSH server.

Once you shift your mind perspective and get some practice with it, it’ll start clicking.

Submit an Answer