In this example, you have told netfilter that you want to append (-A) a rule to the INPUT chain, specifying the TCP protocol (-p tcp), with a destination port (-dport) of ssh (port 22), incoming (-i) on the eth0 interface, and finally that you want to ACCEPT the packet (-j ACCEPT). The - j parameter means "jump to a target.'' Remember that netfilter rules are in a chain, so you are saying, "Stop processing this chain because you have a match and jump to the target.'' In this case, ACCEPT is the target.
"j"(iy-TTjSSjBJThe -dport parameter can take either a numerical port number or a service name
„■ T- - . ..-r . that is specified in /etc/services.
When setting up a rule for connections, you really need to know how the protocol works. In the case of SSH, it is well known that it is a TCP protocol, running on port 22. With this in mind, it is relatively easy to write a rule for it.
How you write the rule regarding the state of the connection is up to you, but because the initial INPUT state rule has allowed all ESTABLISHED and RELATED connections, you do not need to explicitly set the state to NEW because you have effectively allowed all connection types for SSH by not explicitly setting them.
. '.''¿'rf ^When you do not specify something explicitly with an iptables rule, it is assumed .-i-'i —^^ that you want the default setting. For example, if you did not set the interface for the incoming connection, netfilter would have allowed an SSH connection on all network interfaces. This is indeed the same for the protocol type and the destination port. Be very careful how you write your rules, and make sure you explicitly set everything you want to control; otherwise you will probably let in more than you think.
For any incoming connections you want to have on a firewall, you can append a rule in the same way you did with the SSH connection.
Was this article helpful?