> At 03:47 PM 6/16/2020, Kenneth Porter wrote:
>>The rule is in the wrong chain. The INPUT chain affects packets that
>>terminate at the same machine. You want to block packets that will
>>be passed on to the Internet, so your rule needs to be in the
>>FORWARD chain. (The OUTPUT chain affects packets that originate at
>>your machine.)
>>Here's a nice collection of diagrams showing how packets flow
>>through the system:
> Ah ... Caught it.  So here is the IPTABLES method to block output on
> port 22 from internal machines on a gateway:
>    iptables -I FORWARD -p tcp --dport 22 -i
> {name-of-internal-interface} -j DROP
> So, for example, if your internal interface is, for example,
> /dev/enp2s0, you'd write
>    iptables -I FORWARD -p tcp --dport 22 -i enp2s0 -j DROP
> If you want to log such attempts, preceed it with a log
> request.  Since I'm using the -I command (insert at top), it means
> the log request is entered second:
>    iptables -I FORWARD -p tcp --dport 22 -i
> {name-of-internal-interface} -j LOG --log-prefix "LOOK HERE"
> If someone can suggest a firewall-cmd equivalent, it would be nice.

For that kind of firewalling, I suggest to use Shorewall instead:


IMHO it's the better tool for where you need more than a "personal" firewall.


CentOS mailing list

Reply via email to