You want to filter TCP sessions so that only the client device may initiate the application.

You can use the established keyword to restrict which device is allowed to initiate the session. In the following example, we want to allow the client device to telnet to the server, but not the other way around:

Router1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#access-list 148 permit tcp any eq telnet any established
Router1(config)#access-list 148 deny ip any any 
Router1(config)#interface FastEthernet0/0
Router1(config-if)#ip access-group 148 in 
Router1(config-if)#exit
Router1(config)#end
Router1#

In this example, the interface will accept incoming TCP packets only if they have a TCP source port number of 23 (Telnet), and only if this TCP session is already established. It does not restrict the destination port number, because this would be whatever random high-numbered port the initiating device had originally selected for its source port when it started the session.

The router considers an established TCP connection to be one that has either the RST or ACK bits set. We discuss these TCP header flags in more detail in Recipe 19.4. Because this does not include the SYN bit in particular, it is impossible to create a new TCP connection.

Note that you could actually write the same thing explicitly as two rules:

Router1(config)#access-list 148 permit tcp any eq telnet any ack Router1(config)# ...