I am making a bastion ssh server on CentOS 7 in an AWS EC2 instance. When I use the following rules in its ACL, I am able to connect to the server just fine:
Inbound Rules
- Allow traffic on port 22 from my client's IP
- Block all other traffic
Outbound Rules
- Allow all traffic to my client's IP
- Block all other traffic
AWS ACL rules are a crude parallel to iptables; they are probably nothing more than a simplified web interface to a set of iptable rules implemented in Amazon's cloud infrastructure.
My understanding is that the Outbound Rules set is applied to any packet going out of the server–regardless of which end of the connection initiated the connection.
Furthermore, my understanding is that when using a connection initiated by the client, my ssh server will only send ssh traffic over port 22.
But when I use the following rule set, I am no longer able to connect to my server via ssh:
Inbound Rules
- Allow traffic on port 22 from my client's IP
- Block all other traffic
Outbound Rules
- Allow traffic on port 22 to my client's IP
- Block all other traffic
All other features of AWS that can block traffic have been set to allow all traffic; iptables have been set to allow all traffic in the instance's operating system, as well.
Why can't my client establish an SSH connection when outbound traffic on the server is restricted to port 22?
Best Answer
ACL in AWS is a stateless firewall, that means it treats all the requests (inbound or outbound) as independent connections. Hence, if you are trying to allow the port 22 of the server reachable from the client, you need to enable both (inbound to port 22 of the server + outbound to the random [1024-65535] port of the client) sides' connections.
Whereas, if you are dealing with "Security Groups", you only need to allow the inbound to port 22. Its just because "Security Group" is a statefull firewall and it keeps track of the inbound connection, therefore you need not explicitly allow the outbound connection to the client's random [1024-65535] port.