Can someone please help me to understand why we should set ssh iptables INPUT rule destination port instead of source port? why SSH - iptables -A INPUT -p tcp -s tunnel_1_private_IP --dport 22 -i eth1 -j ACCEPT
not iptables -A INPUT -p tcp -s tunnel_1_private_IP --sport 22 -i eth1 -j ACCEPT
because for http or https, we set: iptables -A INPUT -p tcp -s <some-ip-address> --sport 80 -j ACCEPT
not iptables -A INPUT -p tcp -s <some-ip-address> --dport 80 -j ACCEPT
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
INPUT is a chain that deals with incoming requests. So you have to shift your perspective to that of someone on the receiving end - the SSH server. I get an external packet from SRC_IP_A, SRC_PORT_A to connect to me at DST_IP_B, DST_PORT_B. So when you have this INPUT rule:
SSH - iptables -A INPUT -p tcp -s tunnel1private_IP --dport 22 -i eth1 -j ACCEPT
You care about where this packet is coming, which is SRC_IP_A (tunnel1private_IP) and what port it wants to connect to DST_PORT_B (22).
Why would you care about the SRC_PORT_A at all? SRC_PORT_A is a random non-privileged port used by the SSH client to initiate communication with the DST_PORT_B - the SSH server.
Once you shift your mind perspective and get some practice with it, it’ll start clicking.
Try DigitalOcean for free
Click below to sign up and get $100 of credit to try our products over 60 days!
