I may be a touch confused as well. I'm assuming this rule is running on your SSH server box, so the following is based on that assumption. If that is wrong, I'll need to revise things a bit.
Quote:
ptables -A INPUT -i eth1 -p tcp -s 1.1.1.1 --sport 8662 --dport 22 -j ACCEPT
|
OK, let me break down my understanding of this rule. Essentially it is saying that it will accept any packet arriving from port 8662 on 1.1.1.1 AND is heading for port 22 on this box (assuming this rule is running on the SSH box). That is making an assumption about what your router is doing with the packets arriving on port 8662. Assume a remote SSH client is trying to establish a connection. They would aim for your external IP address and port 8662. However, the client would not be SENDING from port 8662. It could use whatever port is available.
So essentially, by locking down the source port, you're limiting yourself to connections that just happen to originate from port 8662, unless you've also taken steps to make sure they originate from there. And to be honest, there are much better ways of locking down SSH access than specifying source ports.