In article alpine.OSX.2.22.432.2006161443010.72543@silver.local, Paul Heinlein heinlein@madboa.com wrote:
On Tue, 16 Jun 2020, Leroy Tennison wrote:
I have a gateway machine (currently Centos 7 with IPV4 only) with two NICs. One is connected to the internet, the other to an internal network (10.0.0.0/24) of mixed hardware (windows7, android tablets, android phones, linux boxes) using NAT. I wish to block all outgoing connects to any external IP address on port 22 (ssh) originating from any internal machine except one (which has a known internal IP address).
I've tried some commands using 'iptables' to accomplish this, but so far have failed. If anyone has a suggestion, I'd really appreciate it. In addition, a suitable version for 'firewalld' could be useful, as an upgrade to Centos 8 is in plan.
Examples of what I've tried, and then tested. None of them stopped an outgoing SSH from an internal system.
iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP
I'm not sure it's your INPUT table that needs that rule. I don't have any NAT machines for experimentation, but my initial hunch is that you'd want OUTPUT rules, e.g.,
iptables -A OUTPUT -p tcp --dport 22 -s ${GOODIP}/32 -j ACCEPT iptables -A OUTPUT -p tcp --dport 22 -s 10.0.0.0/24 -j REJECT
No, the OUTPUT chains apply to traffic originating within the machine itself (the gateway machine).
But for traffic being forwarded by the gateway, it will use the FORWARD chains rather than the INPUT chains. So probably something like this:
iptables -A FORWARD -p tcp --dport 22 -s ${GOODIP}/32 -j ACCEPT iptables -A FORWARD -p tcp --dport 22 -s 10.0.0.0/24 -j REJECT
Cheers Tony