At 03:47 PM 6/16/2020, Kenneth Porter wrote:
The rule is in the wrong chain. The INPUT chain affects packets that
terminate at the same machine. You want to block packets that will
be passed on to the Internet, so your rule needs to be in the
FORWARD chain. (The OUTPUT chain affects packets that originate at
your machine.)
Here's a nice collection of diagrams showing how packets flow
through the system:
<https://gist.github.com/nerdalert/a1687ae4da1cc44a437d>
Ah ... Caught it. So here is the IPTABLES method to block output on
port 22 from internal machines on a gateway:
iptables -I FORWARD -p tcp --dport 22 -i
{name-of-internal-interface} -j DROP
So, for example, if your internal interface is, for example,
/dev/enp2s0, you'd write
iptables -I FORWARD -p tcp --dport 22 -i enp2s0 -j DROP
If you want to log such attempts, preceed it with a log
request. Since I'm using the -I command (insert at top), it means
the log request is entered second:
iptables -I FORWARD -p tcp --dport 22 -i
{name-of-internal-interface} -j LOG --log-prefix "LOOK HERE"
If someone can suggest a firewall-cmd equivalent, it would be nice.
David in SF
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
