What ports will an ssh daemon use outbound?
Clash Royale CLAN TAG#URR8PPP
up vote
2
down vote
favorite
I am making a bastion ssh server. When I use the following rules in its ip tables, I am able to connect to the server just fine:
Inbound Rules
- Allow traffic on port 22 from my client's IP
- Block all other traffic
Outbound Rules
- Allow all traffic to my client's IP
- Block all other traffic
My understanding is the server randomly chooses an outbound port to complete the ssh connection when a valid client calls.
- What range of integers does the system select from to choose this
port? - Can I tell my system which range of ports to use?
ssh iptables ip tcp
edited Jun 2 '15 at 22:58
Gilles
516k12210281557
asked Jun 2 '15 at 8:48
StudentsTea
18718
add a comment |Â
up vote
2
down vote
favorite
I am making a bastion ssh server. When I use the following rules in its ip tables, I am able to connect to the server just fine:
Inbound Rules
- Allow traffic on port 22 from my client's IP
- Block all other traffic
Outbound Rules
- Allow all traffic to my client's IP
- Block all other traffic
My understanding is the server randomly chooses an outbound port to complete the ssh connection when a valid client calls.
- What range of integers does the system select from to choose this
port? - Can I tell my system which range of ports to use?
ssh iptables ip tcp
edited Jun 2 '15 at 22:58
Gilles
516k12210281557
asked Jun 2 '15 at 8:48
StudentsTea
18718
add a comment |Â
up vote
2
down vote
favorite
up vote
2
down vote
favorite
I am making a bastion ssh server. When I use the following rules in its ip tables, I am able to connect to the server just fine:
Inbound Rules
- Allow traffic on port 22 from my client's IP
- Block all other traffic
Outbound Rules
- Allow all traffic to my client's IP
- Block all other traffic
My understanding is the server randomly chooses an outbound port to complete the ssh connection when a valid client calls.
- What range of integers does the system select from to choose this
port? - Can I tell my system which range of ports to use?
ssh iptables ip tcp
edited Jun 2 '15 at 22:58
Gilles
516k12210281557
asked Jun 2 '15 at 8:48
StudentsTea
18718
I am making a bastion ssh server. When I use the following rules in its ip tables, I am able to connect to the server just fine:
Inbound Rules
- Allow traffic on port 22 from my client's IP
- Block all other traffic
Outbound Rules
- Allow all traffic to my client's IP
- Block all other traffic
My understanding is the server randomly chooses an outbound port to complete the ssh connection when a valid client calls.
- What range of integers does the system select from to choose this
port? - Can I tell my system which range of ports to use?
ssh iptables ip tcp
ssh iptables ip tcp
edited Jun 2 '15 at 22:58
Gilles
516k12210281557
asked Jun 2 '15 at 8:48
StudentsTea
18718
edited Jun 2 '15 at 22:58
Gilles
516k12210281557
asked Jun 2 '15 at 8:48
StudentsTea
18718
edited Jun 2 '15 at 22:58
Gilles
516k12210281557
edited Jun 2 '15 at 22:58
Gilles
516k12210281557
edited Jun 2 '15 at 22:58
Gilles
516k12210281557
516k12210281557
asked Jun 2 '15 at 8:48
StudentsTea
18718
asked Jun 2 '15 at 8:48
StudentsTea
18718
asked Jun 2 '15 at 8:48
StudentsTea
18718
18718
add a comment |Â
add a comment |Â
2 Answers
2
active
oldest
votes
up vote
6
down vote
accepted
Your understanding is wrong :-). The client will choose a 'tcp-high port' to initiate traffic to the server's target port 22. The server will respond to the clients initiated source port.
For example, the client chooses port 12345 as source port to connect to the servers destination port 22. The server will try to send traffic from it's port 22 to the client on port 12345.
The tcp-high port range is from > 1024 to 65535.
Therefore you should allow RELATED and ESTABLISHED traffic to your client. For example:
IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Ensure that the above rule comes before the 'block all the rest' rule.
answered Jun 2 '15 at 9:00
Lambert
8,68421028
add a comment |Â
up vote
0
down vote
Thanks a lot Lambert. It helped solved most of my problems.
answered 29 secs ago
knowledgeworker
1
New contributor
knowledgeworker is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |Â
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
6
down vote
accepted
Your understanding is wrong :-). The client will choose a 'tcp-high port' to initiate traffic to the server's target port 22. The server will respond to the clients initiated source port.
For example, the client chooses port 12345 as source port to connect to the servers destination port 22. The server will try to send traffic from it's port 22 to the client on port 12345.
The tcp-high port range is from > 1024 to 65535.
Therefore you should allow RELATED and ESTABLISHED traffic to your client. For example:
IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Ensure that the above rule comes before the 'block all the rest' rule.
answered Jun 2 '15 at 9:00
Lambert
8,68421028
add a comment |Â
up vote
6
down vote
accepted
Your understanding is wrong :-). The client will choose a 'tcp-high port' to initiate traffic to the server's target port 22. The server will respond to the clients initiated source port.
For example, the client chooses port 12345 as source port to connect to the servers destination port 22. The server will try to send traffic from it's port 22 to the client on port 12345.
The tcp-high port range is from > 1024 to 65535.
Therefore you should allow RELATED and ESTABLISHED traffic to your client. For example:
IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Ensure that the above rule comes before the 'block all the rest' rule.
answered Jun 2 '15 at 9:00
Lambert
8,68421028
add a comment |Â
up vote
6
down vote
accepted
up vote
6
down vote
accepted
Your understanding is wrong :-). The client will choose a 'tcp-high port' to initiate traffic to the server's target port 22. The server will respond to the clients initiated source port.
For example, the client chooses port 12345 as source port to connect to the servers destination port 22. The server will try to send traffic from it's port 22 to the client on port 12345.
The tcp-high port range is from > 1024 to 65535.
Therefore you should allow RELATED and ESTABLISHED traffic to your client. For example:
IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Ensure that the above rule comes before the 'block all the rest' rule.
answered Jun 2 '15 at 9:00
Lambert
8,68421028
Your understanding is wrong :-). The client will choose a 'tcp-high port' to initiate traffic to the server's target port 22. The server will respond to the clients initiated source port.
For example, the client chooses port 12345 as source port to connect to the servers destination port 22. The server will try to send traffic from it's port 22 to the client on port 12345.
The tcp-high port range is from > 1024 to 65535.
Therefore you should allow RELATED and ESTABLISHED traffic to your client. For example:
IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Ensure that the above rule comes before the 'block all the rest' rule.
answered Jun 2 '15 at 9:00
Lambert
8,68421028
edited Jun 2 '15 at 9:07
answered Jun 2 '15 at 9:00
Lambert
8,68421028
answered Jun 2 '15 at 9:00
Lambert
8,68421028
answered Jun 2 '15 at 9:00
Lambert
8,68421028
8,68421028
add a comment |Â
add a comment |Â
up vote
0
down vote
Thanks a lot Lambert. It helped solved most of my problems.
answered 29 secs ago
knowledgeworker
1
New contributor
knowledgeworker is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |Â
up vote
0
down vote
Thanks a lot Lambert. It helped solved most of my problems.
answered 29 secs ago
knowledgeworker
1
New contributor
knowledgeworker is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |Â
up vote
0
down vote
up vote
0
down vote
Thanks a lot Lambert. It helped solved most of my problems.
answered 29 secs ago
knowledgeworker
1
New contributor
knowledgeworker is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Thanks a lot Lambert. It helped solved most of my problems.
answered 29 secs ago
knowledgeworker
1
New contributor
knowledgeworker is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 29 secs ago
knowledgeworker
1
New contributor
knowledgeworker is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 29 secs ago
knowledgeworker
1
answered 29 secs ago
knowledgeworker
1
1
New contributor
knowledgeworker is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
knowledgeworker is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
knowledgeworker is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f206993%2fwhat-ports-will-an-ssh-daemon-use-outbound%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
