Confusing iptables rule?
 

Hi people,
in iptables manual I found the next sentence

iptables -A INPUT -p tcp -m multiport --source-port 22,53,80,110
Here is how I understand this ...

in INPUT chain ACCEPT, DROP ... or else, what comes from source ports
22, 53, 80 , 110.
But what I do not understand? When some client initiates for example ssh connection it wants to connect to port 22 on destination computer.
Let's say it is client A. Client A use some port different than 22, it uses some random port ( correct me if I am wrong )???
Client A wants to log on port 22 on some client B.
In this context I do not understand above rule and it will be very useful if there is someone who can write some explanation. I have iptables manual, and many google materials, but I do not understand this.:scratch: :study:

Thanks in advance to whom answer me

Regards

Let's add an ACCEPT to the end to make it complete, but you can use DROP or DENY instead if you need it that way. And for this rule to make any sense, let's say that the POLICY of INPUT chain is set to DROP, for instance. Anyway:

Let's consider that rule. Since rules that are applied before that rule might affect the result, let's think it's the only rule in the otherwise empty iptables configuration.

The above rule would add a new rule to the INPUT chain, that is, for incoming traffic. It states that if the traffic's protocol is tcp, we're going to inspect it more -- in other case the traffic omits this rule.

Now let's say the incoming traffic would be using tcp protocol -- the multiport option (if I'm right, not 110% sure) lets us specify more than one port number to deal with.

If the incoming traffic has been started from one of the mentioned ports (22, 53, 80, 110) then we're doing something for it -- in the above example we're ACCEPTing it, letting it go through. This far we should agree, right?

Let's now consider the example of machines A and B, where client A wants to connect to port 22 on B.

1) The above rule is on A. A sends traffic in this example, so it won't affect the INPUT chain, thus doing nothing (you'd need to use OUTPUT for it).

2) The above rule is on B. A sends traffic to port 22 of B, so the destination port is now 22; the source port, however, is some random port as you wanted.

Traffic comes to B, iptables grabs it in the INPUT chain since it's incoming traffic. It inspects the traffic and sees that it's tcp protocol -- allright, it inspects the rule further: now the source port was something random (in A) as you wanted, so iptables tries to see if it matches the given list (22, 53, 80, 110). If the random port A uses is one of the ports mentioned in the list, then the whole rule matches and is applied, thus the traffic is ACCEPTed. However if the random port is chosen so that it is not any one of the ports mentioned in the list, the rule does not match and is not applied -- if no other rule ACCEPTs the traffic, as in our example it doesn't (we assumed POLICY to be DROP, and only this one rule added), so the traffic gets DROPped rather than ACCEPTed.

Source port is the port where the traffic is coming from, and the port is in the sending machine. Destionation port is where the traffic is going to, and the port is in the receiving machine.

So, to cut it short: the above rule is only applied if the traffic is coming from one of the mentioned ports.

Thanks for the answer.
As you wrote the rule

iptables -A INPUT -p tcp -m multiport --source-port 22,53,80,110 -j ACCEPT

implemented on B will droped packets which originate from ports different than 22,53,80,110. That is clear to me.

But what is sense to implement this rule on destination machine in INPUT chain because we can not push sender to use some of these ports and as I know they do not use them when starting connection.
What I want to say, If I use ssh, dns , http, pop-3, from my machine to connect to port 22, catch dns information, web page etc, I do not use port 22, 53, 80 from my machine, I use some random port >1024 ( Please do not hesistate to clear this if I am wrong ). So implementing this rule on destination machine has not sense in INPUT chain, and I cannot understand why it is there in iptables manual ( without -j ACCEPT )

Books, links, manuals are welcome for this discussion.:study:

Thanks
Regards

yes, most of the time connections will be started using random source ports, so using a --source-port rule wouldn't work... but there are *some* cases in which you do know the source port, such as lets say for example with DHCP packets... the DHCP daemon listens on port 67, and the requests should (RFC???) come from port 68... so a rule like this would make sense in this case:with connections like HTTP or SSH it would be very strange to use source ports in an iptables rule unless you are POSITIVE about the source port/range... like, if you are positive that host 192.168.1.23 will and should only connect via SSH to your box using source ports between 12000 and 19500 (cuz maybe that's the way you've configured it to behave) then a rule like this would be fine:just my :twocents:...