SFTP being blocked outgoing

windows port sftp

I have an issue where on my server sftp is being allowed in but from the server I cannot go out.

I have modified the packet filter to allow this.

The rules I have added are as follows

SFTP Incomming

Protocol: TCP Source Port: Any Destination Port: 22 Source IP Add: Any Ip Address Source Mask: 0.0.0.0 Desination IP Address: My IP Address Destination Mask: 255.255.255.255

SFTP Outgoing

Protocol: TCP Source Port: 22 Destination Port: Any Source IP Add: My Ip Address Source Mask: 255.255.255.255 Desination IP Address: Any IP Address Destination Mask: 0.0.0.0

I have disabled my cisco box that was allowing port 22 and TCP anyway.

I cant see what is blocking it but guessing it may be the destination mask or source mask.


Your firewall rules look fine for the server part. If the issue is that, from the server machine (which you'd be using as a client for this purpose), you're trying to connect to a remote SFTP (SSH) server, you firewall rules are wrong.

Making an outgoing SFTP connection doesn't mean that the source port is going to be 22 (in fact, it's very unlikely, more so if there's already a server running on that port). The destination port is also going to be 22, but the source port is going to be something usually random (or not too random but within a different range, unused by the server ports in general, let's say > 10000). For outgoing connections, your first rule would still apply, but it would need a different destination mask.

The problem then is that if you allow something like this:

Protocol: TCP
Source Port: Any
Destination Port: 22
Source IP Add: Any
Ip Address Source Mask: 0.0.0.0
Desination IP Address: My IP Address
Destination Mask: 0.0.0.0

You're opening all your ports to anyone who's able to tweak their client to come from a port 22, which isn't good. What you'd want is to allow only new and established incoming connections to port 22.

To be honest, I'm not sure how this works in Windows, but this is what NEW, ESTABLISHED and RELATED are for in iptables on Linux.


If you mean that for outgoing traffic the server is acting as a client then your outgoing rule is wrong, as Bruno stated in his answer. When acting as a client, the server will use an ephemeral port on it's end and connect to the remote server on the remote server's port 22. If this is what you meant then you need to reverse your source and destination ports in your outbound rule. The source should be any port and the destination should be port 22.

Related

confusion in setting up a firewall on bridge
How do you configure Authoritative Time Service in Group Policy so all the domain members use the domain controller with the PDC FSMO role?
machines of two subnets communicate through CentOS(with two NICs)
shell : warn about or deny command execution with help of an alias
Opensuse port forwarding 80 to 8080 not working
why sc query fails from one machine but works from another
Unable to add a physical disk to a Storage Spaces storage pool but can add it to a new pool?
Cron Job not Running
Apache Restart cause [proxy_http:error] [pid 120502] (70008)Partial results are valid but processing is incomplete
sketchy nginx access log entries
Block an IP-address which tries to download entire website
Ansible: Raise Error if replace did not find anything to replace