> At 03:47 PM 6/16/2020, Kenneth Porter wrote: >>The rule is in the wrong chain. The INPUT chain affects packets that >>terminate at the same machine. You want to block packets that will >>be passed on to the Internet, so your rule needs to be in the >>FORWARD chain. (The OUTPUT chain affects packets that originate at >>your machine.) >> >>Here's a nice collection of diagrams showing how packets flow >>through the system: >> >><https://gist.github.com/nerdalert/a1687ae4da1cc44a437d> > > > Ah ... Caught it. So here is the IPTABLES method to block output on > port 22 from internal machines on a gateway: > > iptables -I FORWARD -p tcp --dport 22 -i > {name-of-internal-interface} -j DROP > > So, for example, if your internal interface is, for example, > /dev/enp2s0, you'd write > > iptables -I FORWARD -p tcp --dport 22 -i enp2s0 -j DROP > > If you want to log such attempts, preceed it with a log > request. Since I'm using the -I command (insert at top), it means > the log request is entered second: > > iptables -I FORWARD -p tcp --dport 22 -i > {name-of-internal-interface} -j LOG --log-prefix "LOOK HERE" > > > If someone can suggest a firewall-cmd equivalent, it would be nice. For that kind of firewalling, I suggest to use Shorewall instead: https://shorewall.org/ IMHO it's the better tool for where you need more than a "personal" firewall. Regards, Simon