At 03:47 PM 6/16/2020, Kenneth Porter wrote: >The rule is in the wrong chain. The INPUT chain affects packets that >terminate at the same machine. You want to block packets that will >be passed on to the Internet, so your rule needs to be in the >FORWARD chain. (The OUTPUT chain affects packets that originate at >your machine.) > >Here's a nice collection of diagrams showing how packets flow >through the system: > ><https://gist.github.com/nerdalert/a1687ae4da1cc44a437d> Ah ... Caught it. So here is the IPTABLES method to block output on port 22 from internal machines on a gateway: iptables -I FORWARD -p tcp --dport 22 -i {name-of-internal-interface} -j DROP So, for example, if your internal interface is, for example, /dev/enp2s0, you'd write iptables -I FORWARD -p tcp --dport 22 -i enp2s0 -j DROP If you want to log such attempts, preceed it with a log request. Since I'm using the -I command (insert at top), it means the log request is entered second: iptables -I FORWARD -p tcp --dport 22 -i {name-of-internal-interface} -j LOG --log-prefix "LOOK HERE" If someone can suggest a firewall-cmd equivalent, it would be nice. David in SF