4

I am making a bastion ssh server on CentOS 7 in an AWS EC2 instance. When I use the following rules in its ACL, I am able to connect to the server just fine:

Inbound Rules

  • Allow traffic on port 22 from my client's IP
  • Block all other traffic

Outbound Rules

  • Allow all traffic to my client's IP
  • Block all other traffic

AWS ACL rules are a crude parallel to iptables; they are probably nothing more than a simplified web interface to a set of iptable rules implemented in Amazon's cloud infrastructure.

My understanding is that the Outbound Rules set is applied to any packet going out of the server--regardless of which end of the connection initiated the connection.

Furthermore, my understanding is that when using a connection initiated by the client, my ssh server will only send ssh traffic over port 22.

But when I use the following rule set, I am no longer able to connect to my server via ssh:

Inbound Rules

  • Allow traffic on port 22 from my client's IP
  • Block all other traffic

Outbound Rules

  • Allow traffic on port 22 to my client's IP
  • Block all other traffic

All other features of AWS that can block traffic have been set to allow all traffic; iptables have been set to allow all traffic in the instance's operating system, as well.

Why can't my client establish an SSH connection when outbound traffic on the server is restricted to port 22?

Improve this question
2
  • Please update your question with the actual ruleset (iptables-save or iptables -nL output) you have defined. Commented Jun 2, 2015 at 9:39
  • I'm using AWS' ACL feature, so the actual rule set really is just those four things: SSH, 22, an IP with CIDR, allow or deny. So, the ruleset is what is posted above with a little HTML to make it look nice in a browser. Commented Jun 2, 2015 at 9:44

1 Answer 1

Reset to default
7

ACL in AWS is a stateless firewall, that means it treats all the requests (inbound or outbound) as independent connections. Hence, if you are trying to allow the port 22 of the server reachable from the client, you need to enable both (inbound to port 22 of the server + outbound to the random [1024-65535] port of the client) sides' connections.

Whereas, if you are dealing with "Security Groups", you only need to allow the inbound to port 22. Its just because "Security Group" is a statefull firewall and it keeps track of the inbound connection, therefore you need not explicitly allow the outbound connection to the client's random [1024-65535] port.

Improve this answer
4
  • Will a client initiating HTTP and HTTPS connections also randomly choose a local port in the [1024-65535] range? Commented Jun 2, 2015 at 12:16
  • 1
    The port range [1024-65535] is the range used by the client programs, as the range [0-1024] is used for server programs. Every time, the client program chooses some random port, in order to connect to the server. Both the connections, HTTP & HTTPS will use different ports. Commented Jun 2, 2015 at 12:21
  • Does port 1024 belong to the client range or the server range? Commented Jun 2, 2015 at 12:49
  • 1
    Client, by default. Commented Jun 2, 2015 at 13:54

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.