On Tue, 16 Jun 2020, Leroy Tennison wrote:
> I have a gateway machine (currently Centos 7 with IPV4 only) with two
> NICs. One is connected to the internet, the other to an internal
> network (10.0.0.0/24) of mixed hardware (windows7, android tablets,
> android phones, linux boxes) using NAT. I wish to block all outgoing
> connects to any external IP address on port 22 (ssh) originating from
> any internal machine except one (which has a known internal IP address).
>
> I've tried some commands using 'iptables' to accomplish this, but so
> far have failed. If anyone has a suggestion, I'd really appreciate
> it. In addition, a suitable version for 'firewalld' could be useful,
> as an upgrade to Centos 8 is in plan.
>
> Examples of what I've tried, and then tested. None of them stopped
> an outgoing SSH from an internal system.
>
> iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP
> iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP
I'm not sure it's your INPUT table that needs that rule. I don't have
any NAT machines for experimentation, but my initial hunch is that
you'd want OUTPUT rules, e.g.,
iptables -A OUTPUT -p tcp --dport 22 -s ${GOODIP}/32 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 22 -s 10.0.0.0/24 -j REJECT
--
Paul Heinlein
heinlein at madboa.com
45°38' N, 122°6' W