In, IPTables, whats the difference between these two rules?
What the difference between these two or are they essentially the same thing?
iptables -t filter -A FORWARD -s $EXTERNALNET -d $INTERNALNET -p tcp --dport 22 -j ACCEPT
iptables -t filter -A FORWARD -s $INTERNALNET -d $EXTERNALNET -p tcp --sport 22 -j ACCEPT
The first rule accepts traffic being forwarded from $EXTERNALNET
to $INTERNALNET
with destination port 22/tcp.
The second rule accepts traffic being forwarded from $INTERNALNET
to $EXTERNALNET
with source port 22/tcp.
In a proper configuration of a stateful firewall like iptables, there should be no need for rules to allow traffic based on source port, since both directions of validly established TCP streams are allowed. Doing otherwise can lead to security holes--in this case, allowing all outbound traffic so long as it has a source port of 22/tcp.
With a non-stateful configuration, the example given is probably about the best that can be accomplished.
-s is source, and -d is destination, so these rules are in relation to traffic fowing in either direction.
the $INTERNALNET & $EXTERNALNET are variables, likely of a subnet or network range. I'm assuming this is from a bash script you got somewhere ?