What ports will an ssh daemon use outbound?
Clash Royale CLAN TAG#URR8PPP
up vote
2
down vote
favorite
I am making a bastion ssh server. When I use the following rules in its ip tables, I am able to connect to the server just fine:
Inbound Rules
- Allow traffic on port 22 from my client's IP
- Block all other traffic
Outbound Rules
- Allow all traffic to my client's IP
- Block all other traffic
My understanding is the server randomly chooses an outbound port to complete the ssh connection when a valid client calls.
- What range of integers does the system select from to choose this
port? - Can I tell my system which range of ports to use?
ssh iptables ip tcp
add a comment |Â
up vote
2
down vote
favorite
I am making a bastion ssh server. When I use the following rules in its ip tables, I am able to connect to the server just fine:
Inbound Rules
- Allow traffic on port 22 from my client's IP
- Block all other traffic
Outbound Rules
- Allow all traffic to my client's IP
- Block all other traffic
My understanding is the server randomly chooses an outbound port to complete the ssh connection when a valid client calls.
- What range of integers does the system select from to choose this
port? - Can I tell my system which range of ports to use?
ssh iptables ip tcp
add a comment |Â
up vote
2
down vote
favorite
up vote
2
down vote
favorite
I am making a bastion ssh server. When I use the following rules in its ip tables, I am able to connect to the server just fine:
Inbound Rules
- Allow traffic on port 22 from my client's IP
- Block all other traffic
Outbound Rules
- Allow all traffic to my client's IP
- Block all other traffic
My understanding is the server randomly chooses an outbound port to complete the ssh connection when a valid client calls.
- What range of integers does the system select from to choose this
port? - Can I tell my system which range of ports to use?
ssh iptables ip tcp
I am making a bastion ssh server. When I use the following rules in its ip tables, I am able to connect to the server just fine:
Inbound Rules
- Allow traffic on port 22 from my client's IP
- Block all other traffic
Outbound Rules
- Allow all traffic to my client's IP
- Block all other traffic
My understanding is the server randomly chooses an outbound port to complete the ssh connection when a valid client calls.
- What range of integers does the system select from to choose this
port? - Can I tell my system which range of ports to use?
ssh iptables ip tcp
ssh iptables ip tcp
edited Jun 2 '15 at 22:58
Gilles
516k12210281557
516k12210281557
asked Jun 2 '15 at 8:48
StudentsTea
18718
18718
add a comment |Â
add a comment |Â
2 Answers
2
active
oldest
votes
up vote
6
down vote
accepted
Your understanding is wrong :-). The client will choose a 'tcp-high port' to initiate traffic to the server's target port 22. The server will respond to the clients initiated source port.
For example, the client chooses port 12345 as source port to connect to the servers destination port 22. The server will try to send traffic from it's port 22 to the client on port 12345.
The tcp-high port range is from > 1024 to 65535.
Therefore you should allow RELATED and ESTABLISHED traffic to your client. For example:
IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Ensure that the above rule comes before the 'block all the rest' rule.
add a comment |Â
up vote
0
down vote
Thanks a lot Lambert. It helped solved most of my problems.
New contributor
add a comment |Â
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
6
down vote
accepted
Your understanding is wrong :-). The client will choose a 'tcp-high port' to initiate traffic to the server's target port 22. The server will respond to the clients initiated source port.
For example, the client chooses port 12345 as source port to connect to the servers destination port 22. The server will try to send traffic from it's port 22 to the client on port 12345.
The tcp-high port range is from > 1024 to 65535.
Therefore you should allow RELATED and ESTABLISHED traffic to your client. For example:
IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Ensure that the above rule comes before the 'block all the rest' rule.
add a comment |Â
up vote
6
down vote
accepted
Your understanding is wrong :-). The client will choose a 'tcp-high port' to initiate traffic to the server's target port 22. The server will respond to the clients initiated source port.
For example, the client chooses port 12345 as source port to connect to the servers destination port 22. The server will try to send traffic from it's port 22 to the client on port 12345.
The tcp-high port range is from > 1024 to 65535.
Therefore you should allow RELATED and ESTABLISHED traffic to your client. For example:
IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Ensure that the above rule comes before the 'block all the rest' rule.
add a comment |Â
up vote
6
down vote
accepted
up vote
6
down vote
accepted
Your understanding is wrong :-). The client will choose a 'tcp-high port' to initiate traffic to the server's target port 22. The server will respond to the clients initiated source port.
For example, the client chooses port 12345 as source port to connect to the servers destination port 22. The server will try to send traffic from it's port 22 to the client on port 12345.
The tcp-high port range is from > 1024 to 65535.
Therefore you should allow RELATED and ESTABLISHED traffic to your client. For example:
IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Ensure that the above rule comes before the 'block all the rest' rule.
Your understanding is wrong :-). The client will choose a 'tcp-high port' to initiate traffic to the server's target port 22. The server will respond to the clients initiated source port.
For example, the client chooses port 12345 as source port to connect to the servers destination port 22. The server will try to send traffic from it's port 22 to the client on port 12345.
The tcp-high port range is from > 1024 to 65535.
Therefore you should allow RELATED and ESTABLISHED traffic to your client. For example:
IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Ensure that the above rule comes before the 'block all the rest' rule.
edited Jun 2 '15 at 9:07
answered Jun 2 '15 at 9:00
Lambert
8,68421028
8,68421028
add a comment |Â
add a comment |Â
up vote
0
down vote
Thanks a lot Lambert. It helped solved most of my problems.
New contributor
add a comment |Â
up vote
0
down vote
Thanks a lot Lambert. It helped solved most of my problems.
New contributor
add a comment |Â
up vote
0
down vote
up vote
0
down vote
Thanks a lot Lambert. It helped solved most of my problems.
New contributor
Thanks a lot Lambert. It helped solved most of my problems.
New contributor
New contributor
answered 29 secs ago
knowledgeworker
1
1
New contributor
New contributor
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f206993%2fwhat-ports-will-an-ssh-daemon-use-outbound%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password