At 03:47 PM 6/16/2020, Kenneth Porter wrote:
The rule is in the wrong chain. The INPUT chain affects packets that terminate at the same machine. You want to block packets that will be passed on to the Internet, so your rule needs to be in the FORWARD chain. (The OUTPUT chain affects packets that originate at your machine.)
Here's a nice collection of diagrams showing how packets flow through the system:
Ah ... Caught it. So here is the IPTABLES method to block output on port 22 from internal machines on a gateway:
iptables -I FORWARD -p tcp --dport 22 -i {name-of-internal-interface} -j DROP
So, for example, if your internal interface is, for example, /dev/enp2s0, you'd write
iptables -I FORWARD -p tcp --dport 22 -i enp2s0 -j DROP
If you want to log such attempts, preceed it with a log request. Since I'm using the -I command (insert at top), it means the log request is entered second:
iptables -I FORWARD -p tcp --dport 22 -i {name-of-internal-interface} -j LOG --log-prefix "LOOK HERE"
If someone can suggest a firewall-cmd equivalent, it would be nice.
David in SF