What ports will an ssh daemon use outbound?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
2
down vote

favorite












I am making a bastion ssh server. When I use the following rules in its ip tables, I am able to connect to the server just fine:



Inbound Rules



  • Allow traffic on port 22 from my client's IP

  • Block all other traffic

Outbound Rules



  • Allow all traffic to my client's IP

  • Block all other traffic

My understanding is the server randomly chooses an outbound port to complete the ssh connection when a valid client calls.



  1. What range of integers does the system select from to choose this
    port?

  2. Can I tell my system which range of ports to use?









share|improve this question



























    up vote
    2
    down vote

    favorite












    I am making a bastion ssh server. When I use the following rules in its ip tables, I am able to connect to the server just fine:



    Inbound Rules



    • Allow traffic on port 22 from my client's IP

    • Block all other traffic

    Outbound Rules



    • Allow all traffic to my client's IP

    • Block all other traffic

    My understanding is the server randomly chooses an outbound port to complete the ssh connection when a valid client calls.



    1. What range of integers does the system select from to choose this
      port?

    2. Can I tell my system which range of ports to use?









    share|improve this question

























      up vote
      2
      down vote

      favorite









      up vote
      2
      down vote

      favorite











      I am making a bastion ssh server. When I use the following rules in its ip tables, I am able to connect to the server just fine:



      Inbound Rules



      • Allow traffic on port 22 from my client's IP

      • Block all other traffic

      Outbound Rules



      • Allow all traffic to my client's IP

      • Block all other traffic

      My understanding is the server randomly chooses an outbound port to complete the ssh connection when a valid client calls.



      1. What range of integers does the system select from to choose this
        port?

      2. Can I tell my system which range of ports to use?









      share|improve this question















      I am making a bastion ssh server. When I use the following rules in its ip tables, I am able to connect to the server just fine:



      Inbound Rules



      • Allow traffic on port 22 from my client's IP

      • Block all other traffic

      Outbound Rules



      • Allow all traffic to my client's IP

      • Block all other traffic

      My understanding is the server randomly chooses an outbound port to complete the ssh connection when a valid client calls.



      1. What range of integers does the system select from to choose this
        port?

      2. Can I tell my system which range of ports to use?






      ssh iptables ip tcp






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Jun 2 '15 at 22:58









      Gilles

      516k12210281557




      516k12210281557










      asked Jun 2 '15 at 8:48









      StudentsTea

      18718




      18718




















          2 Answers
          2






          active

          oldest

          votes

















          up vote
          6
          down vote



          accepted










          Your understanding is wrong :-). The client will choose a 'tcp-high port' to initiate traffic to the server's target port 22. The server will respond to the clients initiated source port.



          For example, the client chooses port 12345 as source port to connect to the servers destination port 22. The server will try to send traffic from it's port 22 to the client on port 12345.



          The tcp-high port range is from > 1024 to 65535.



          Therefore you should allow RELATED and ESTABLISHED traffic to your client. For example:



          IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT


          Ensure that the above rule comes before the 'block all the rest' rule.






          share|improve this answer





























            up vote
            0
            down vote













            Thanks a lot Lambert. It helped solved most of my problems.





            share








            New contributor




            knowledgeworker is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.

















              Your Answer







              StackExchange.ready(function()
              var channelOptions =
              tags: "".split(" "),
              id: "106"
              ;
              initTagRenderer("".split(" "), "".split(" "), channelOptions);

              StackExchange.using("externalEditor", function()
              // Have to fire editor after snippets, if snippets enabled
              if (StackExchange.settings.snippets.snippetsEnabled)
              StackExchange.using("snippets", function()
              createEditor();
              );

              else
              createEditor();

              );

              function createEditor()
              StackExchange.prepareEditor(
              heartbeatType: 'answer',
              convertImagesToLinks: false,
              noModals: false,
              showLowRepImageUploadWarning: true,
              reputationToPostImages: null,
              bindNavPrevention: true,
              postfix: "",
              onDemand: true,
              discardSelector: ".discard-answer"
              ,immediatelyShowMarkdownHelp:true
              );



              );













               

              draft saved


              draft discarded


















              StackExchange.ready(
              function ()
              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f206993%2fwhat-ports-will-an-ssh-daemon-use-outbound%23new-answer', 'question_page');

              );

              Post as a guest






























              2 Answers
              2






              active

              oldest

              votes








              2 Answers
              2






              active

              oldest

              votes









              active

              oldest

              votes






              active

              oldest

              votes








              up vote
              6
              down vote



              accepted










              Your understanding is wrong :-). The client will choose a 'tcp-high port' to initiate traffic to the server's target port 22. The server will respond to the clients initiated source port.



              For example, the client chooses port 12345 as source port to connect to the servers destination port 22. The server will try to send traffic from it's port 22 to the client on port 12345.



              The tcp-high port range is from > 1024 to 65535.



              Therefore you should allow RELATED and ESTABLISHED traffic to your client. For example:



              IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT


              Ensure that the above rule comes before the 'block all the rest' rule.






              share|improve this answer


























                up vote
                6
                down vote



                accepted










                Your understanding is wrong :-). The client will choose a 'tcp-high port' to initiate traffic to the server's target port 22. The server will respond to the clients initiated source port.



                For example, the client chooses port 12345 as source port to connect to the servers destination port 22. The server will try to send traffic from it's port 22 to the client on port 12345.



                The tcp-high port range is from > 1024 to 65535.



                Therefore you should allow RELATED and ESTABLISHED traffic to your client. For example:



                IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT


                Ensure that the above rule comes before the 'block all the rest' rule.






                share|improve this answer
























                  up vote
                  6
                  down vote



                  accepted







                  up vote
                  6
                  down vote



                  accepted






                  Your understanding is wrong :-). The client will choose a 'tcp-high port' to initiate traffic to the server's target port 22. The server will respond to the clients initiated source port.



                  For example, the client chooses port 12345 as source port to connect to the servers destination port 22. The server will try to send traffic from it's port 22 to the client on port 12345.



                  The tcp-high port range is from > 1024 to 65535.



                  Therefore you should allow RELATED and ESTABLISHED traffic to your client. For example:



                  IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT


                  Ensure that the above rule comes before the 'block all the rest' rule.






                  share|improve this answer














                  Your understanding is wrong :-). The client will choose a 'tcp-high port' to initiate traffic to the server's target port 22. The server will respond to the clients initiated source port.



                  For example, the client chooses port 12345 as source port to connect to the servers destination port 22. The server will try to send traffic from it's port 22 to the client on port 12345.



                  The tcp-high port range is from > 1024 to 65535.



                  Therefore you should allow RELATED and ESTABLISHED traffic to your client. For example:



                  IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT


                  Ensure that the above rule comes before the 'block all the rest' rule.







                  share|improve this answer














                  share|improve this answer



                  share|improve this answer








                  edited Jun 2 '15 at 9:07

























                  answered Jun 2 '15 at 9:00









                  Lambert

                  8,68421028




                  8,68421028






















                      up vote
                      0
                      down vote













                      Thanks a lot Lambert. It helped solved most of my problems.





                      share








                      New contributor




                      knowledgeworker is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.





















                        up vote
                        0
                        down vote













                        Thanks a lot Lambert. It helped solved most of my problems.





                        share








                        New contributor




                        knowledgeworker is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                        Check out our Code of Conduct.



















                          up vote
                          0
                          down vote










                          up vote
                          0
                          down vote









                          Thanks a lot Lambert. It helped solved most of my problems.





                          share








                          New contributor




                          knowledgeworker is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                          Check out our Code of Conduct.









                          Thanks a lot Lambert. It helped solved most of my problems.






                          share








                          New contributor




                          knowledgeworker is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                          Check out our Code of Conduct.








                          share


                          share






                          New contributor




                          knowledgeworker is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                          Check out our Code of Conduct.









                          answered 29 secs ago









                          knowledgeworker

                          1




                          1




                          New contributor




                          knowledgeworker is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                          Check out our Code of Conduct.





                          New contributor





                          knowledgeworker is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                          Check out our Code of Conduct.






                          knowledgeworker is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                          Check out our Code of Conduct.



























                               

                              draft saved


                              draft discarded















































                               


                              draft saved


                              draft discarded














                              StackExchange.ready(
                              function ()
                              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f206993%2fwhat-ports-will-an-ssh-daemon-use-outbound%23new-answer', 'question_page');

                              );

                              Post as a guest













































































                              Popular posts from this blog

                              How to check contact read email or not when send email to Individual?

                              Displaying single band from multi-band raster using QGIS

                              How many registers does an x86_64 CPU actually have?