0

In a SSH server/firewall (192.168.2.3) that has a LAN behind it, say 192.168.2.1/30, will the connection attempts made by the internal machines of the 192.168.2.1/30 network be interpreted by the firewall as incoming or outgoing connections?

If they are read as either incoming or outgoing, must I specify the destination or source address block (192.168.2.1/30)? Or when exactly are the -d or -s options needed?

My understanding is this: if I want those internal machines to make any new connections to the outside world, the rule goes like this.

iptables -A OUTPUT -s 192.168.2.8/30 -m state --state NEW -j ACCEPT

and if the SSH server wanted to make new ssh connections to the outside world the rule would be this

iptables -A OUTPUT -p tcp --sport 22 -m state --state NEW -j ACCEPT

In this case, should I leave out the ssh server ip address or include it in the rule?

Many thanks.

lindows-usr
  • 3
  • 2

1 Answers1

1

INPUT and OUTPUT are defined solely with respect to the system on which iptables is running. To put it another way, iptables doesn't care what sort of systems are on any of its interfaces; it doesn't care whether an interface connects to your trusted LAN, or a DMZ, or a tank full of sharks with laptops.

INPUT always refers to traffic entering an interface from outside, with a view to terminating locally. OUTPUT refers to traffic that originated locally and is about to leave via an interface. FORWARD refers to traffic that's passing in one interface and straight out another.

The first you quote above mediates traffic from the 192.168.2.0/30 LAN on one interface, to the outside world on another, so that should both be in the FORWARD chain. The second mediates traffic from the firewall to the world, so it's OK as it stands.

Though may I add in passing that that's not much of a LAN, and you should probably check that netmask because the firewall has an invalid address in the context of the LAN (it's the broadcast address, which shouldn't be assigned to a single host). See our famous canonical question on ipv4 subnetting for further discussion.

Community
  • 1
MadHatter
  • 78,442
  • 20
  • 178
  • 229
  • When you say `OUTPUT` refers to traffic that originated locally and is about to **leave** via an interface, do you mean traffic that is generated at the firewall or simply traffic that is originating from behind the firewall? A LAN for example. What sort of traffic then warrants an `OUTPUT` rule? – lindows-usr Mar 04 '15 at 18:07
  • `OUTPUT` traffic originates locally, meaning on the firewall itself (eg, a DNS request going out, or a connection request to a foreign server). The firewall *does not know or care* that one of your interfaces has what you consider to be an internal network on it; everything is outside, until configured otherwise. – MadHatter Mar 04 '15 at 18:40