Firewall Help Request

Home » CentOS » Firewall Help Request
CentOS 7 Comments

Folks

I’m struggling with my firewall settings, and would appreciate some help.

I have a gateway machine (currently CentOS 7 with IPV4 only) with two NICs. One is connected to the internet, the other to an internal network (10.0.0.0/24) of mixed hardware (windows7, android tablets, android phones, linux boxes) using NAT. I wish to block all outgoing connects to any external IP address on port 22 (ssh) originating from any internal machine except one (which has a known internal IP address).

I’ve tried some commands using ‘iptables’ to accomplish this, but so far have failed. If anyone has a suggestion, I’d really appreciate it. In addition, a suitable version for ‘firewalld’ could be useful, as an upgrade to CentOS 8 is in plan.

Examples of what I’ve tried, and then tested. None of them stopped an outgoing SSH from an internal system.

iptables -I INPUT -p tcp –dport 22 -s 10.0.0.0/24 -j DROP
iptables -I INPUT -p tcp –dport 22 -s 10.0.0.0/24 -j DROP

Much thanks

David

7 thoughts on - Firewall Help Request

  • which interface is that bound to? I don’t see a -i eth0 or whatever, but you want that rule on your LAN interface.

    note these rules will also prevent any host on 10.0.0.0/24 from ssh’ing to the gateway machine itself.

  • Is your policy accept? It is possible to trace the packet through the netfilter path by setting up raw table rules with TRACE as the target and logging turned on (search the web for details – probably too much to post here) but be aware that you need a very controlled test because the syslog entries will likely be an order of magnitude greater than the actual packet count.

  • At 12:30 PM 6/16/2020, John Pierce wrote:

    At your suggestion, the command became

    iptables -I INPUT -p tcp –dport 22 -i enp3s0 -s 10.0.0.0/24 -j DROP

    where enp3s0 is the internal NIC with address 10.0.0.1. I’m assuming that your advice about LAN represents the internal network because on most routers, it is, and WAN is the internet connection.

    And SSH worked :-(
    unfortunately

    I know that many ISPs block outgoing port 25, so I know this is do-able.

    David

  • yeah, LAN == Local Area Network, WAN == Wide Area Network, generally meaning the internet.

  • I’m not sure it’s your INPUT table that needs that rule. I don’t have any NAT machines for experimentation, but my initial hunch is that you’d want OUTPUT rules, e.g.,

    iptables -A OUTPUT -p tcp –dport 22 -s ${GOODIP}/32 -j ACCEPT
    iptables -A OUTPUT -p tcp –dport 22 -s 10.0.0.0/24 -j REJECT

  • The rule is in the wrong chain. The INPUT chain affects packets that terminate at the same machine. You want to block packets that will be passed on to the Internet, so your rule needs to be in the FORWARD chain.
    (The OUTPUT chain affects packets that originate at your machine.)

    Here’s a nice collection of diagrams showing how packets flow through the system:

    <https://gist.github.com/nerdalert/a1687ae4da1cc44a437d>

  • In article , Paul Heinlein wrote:

    No, the OUTPUT chains apply to traffic originating within the machine itself (the gateway machine).

    But for traffic being forwarded by the gateway, it will use the FORWARD
    chains rather than the INPUT chains. So probably something like this:

    iptables -A FORWARD -p tcp –dport 22 -s ${GOODIP}/32 -j ACCEPT
    iptables -A FORWARD -p tcp –dport 22 -s 10.0.0.0/24 -j REJECT

    Cheers Tony