[CentOS] firewall help request (solved)

Tue Jun 16 23:20:18 UTC 2020
david <david at daku.org>

At 03:47 PM 6/16/2020, Kenneth Porter wrote:
>The rule is in the wrong chain. The INPUT chain affects packets that 
>terminate at the same machine. You want to block packets that will 
>be passed on to the Internet, so your rule needs to be in the 
>FORWARD chain. (The OUTPUT chain affects packets that originate at 
>your machine.)
>
>Here's a nice collection of diagrams showing how packets flow 
>through the system:
>
><https://gist.github.com/nerdalert/a1687ae4da1cc44a437d>


Ah ... Caught it.  So here is the IPTABLES method to block output on 
port 22 from internal machines on a gateway:

   iptables -I FORWARD -p tcp --dport 22 -i 
{name-of-internal-interface} -j DROP

So, for example, if your internal interface is, for example, 
/dev/enp2s0, you'd write

   iptables -I FORWARD -p tcp --dport 22 -i enp2s0 -j DROP

If you want to log such attempts, preceed it with a log 
request.  Since I'm using the -I command (insert at top), it means 
the log request is entered second:

   iptables -I FORWARD -p tcp --dport 22 -i 
{name-of-internal-interface} -j LOG --log-prefix "LOOK HERE"


If someone can suggest a firewall-cmd equivalent, it would be nice.

David in SF