In article <alpine.OSX.2.22.432.2006161443010.72543 at silver.local>, Paul Heinlein <heinlein at madboa.com> wrote: > On Tue, 16 Jun 2020, Leroy Tennison wrote: > > > I have a gateway machine (currently Centos 7 with IPV4 only) with two > > NICs. One is connected to the internet, the other to an internal > > network (10.0.0.0/24) of mixed hardware (windows7, android tablets, > > android phones, linux boxes) using NAT. I wish to block all outgoing > > connects to any external IP address on port 22 (ssh) originating from > > any internal machine except one (which has a known internal IP address). > > > > I've tried some commands using 'iptables' to accomplish this, but so > > far have failed. If anyone has a suggestion, I'd really appreciate > > it. In addition, a suitable version for 'firewalld' could be useful, > > as an upgrade to Centos 8 is in plan. > > > > Examples of what I've tried, and then tested. None of them stopped > > an outgoing SSH from an internal system. > > > > iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP > > iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP > > I'm not sure it's your INPUT table that needs that rule. I don't have > any NAT machines for experimentation, but my initial hunch is that > you'd want OUTPUT rules, e.g., > > iptables -A OUTPUT -p tcp --dport 22 -s ${GOODIP}/32 -j ACCEPT > iptables -A OUTPUT -p tcp --dport 22 -s 10.0.0.0/24 -j REJECT No, the OUTPUT chains apply to traffic originating within the machine itself (the gateway machine). But for traffic being forwarded by the gateway, it will use the FORWARD chains rather than the INPUT chains. So probably something like this: iptables -A FORWARD -p tcp --dport 22 -s ${GOODIP}/32 -j ACCEPT iptables -A FORWARD -p tcp --dport 22 -s 10.0.0.0/24 -j REJECT Cheers Tony -- Tony Mountifield Work: tony at softins.co.uk - http://www.softins.co.uk Play: tony at mountifield.org - http://tony.mountifield.org