IPTABLES frustration

vonedaddy · 02-26-2010, 12:16 PM

I am fairly new to playing with iptables although I have been using linux for a couple years. Can someone please help me here?

I have port 8662 open on my router forwarding to my linux server. I want to allow ssh connections from a certain IP address to come in on 8662 and be forward to port 22 on eth1 on my linux server.

This is the iptables command I have used without any luck:

iptables -A INPUT -i eth1 -p tcp -s 1.1.1.1 --sport 8662 --dport 22 -j ACCEPT

(ip address replaced for obvious reasons)

From what I have read this SHOULD do it, although traffic is still blocked.

Anyone?

Hangdog42 · 02-26-2010, 12:35 PM

Quote:

--sport 8662

I think you're confusing input ports and output ports. Just because your router is receiving SSH on port 8662 doesn't mean that it will forward from that port. If you eliminate this, it will probably work. Besides, I don't think that locking down the source port really gets you much from a security perspective.

vonedaddy · 02-26-2010, 12:38 PM

I am not sure I am following. Any incoming ssh connections on the router will be forwarded to the box on port 8862. Do I not have to tell my linux machine that the source port will be 8662?

Thanks for answering by the way!

Hangdog42 · 02-26-2010, 12:58 PM

I may be a touch confused as well. I'm assuming this rule is running on your SSH server box, so the following is based on that assumption. If that is wrong, I'll need to revise things a bit.

Quote:

ptables -A INPUT -i eth1 -p tcp -s 1.1.1.1 --sport 8662 --dport 22 -j ACCEPT

OK, let me break down my understanding of this rule. Essentially it is saying that it will accept any packet arriving from port 8662 on 1.1.1.1 AND is heading for port 22 on this box (assuming this rule is running on the SSH box). That is making an assumption about what your router is doing with the packets arriving on port 8662. Assume a remote SSH client is trying to establish a connection. They would aim for your external IP address and port 8662. However, the client would not be SENDING from port 8662. It could use whatever port is available.

So essentially, by locking down the source port, you're limiting yourself to connections that just happen to originate from port 8662, unless you've also taken steps to make sure they originate from there. And to be honest, there are much better ways of locking down SSH access than specifying source ports.

vonedaddy · 02-26-2010, 01:44 PM

Ok, now I have a MUCH better understanding of what I am doing here. Thank you so much for your time!