Folks I'm struggling with my firewall settings, and would appreciate some help. I have a gateway machine (currently Centos 7 with IPV4 only) with two NICs. One is connected to the internet, the other to an internal network (10.0.0.0/24) of mixed hardware (windows7, android tablets, android phones, linux boxes) using NAT. I wish to block all outgoing connects to any external IP address on port 22 (ssh) originating from any internal machine except one (which has a known internal IP address). I've tried some commands using 'iptables' to accomplish this, but so far have failed. If anyone has a suggestion, I'd really appreciate it. In addition, a suitable version for 'firewalld' could be useful, as an upgrade to Centos 8 is in plan. Examples of what I've tried, and then tested. None of them stopped an outgoing SSH from an internal system. iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP Much thanks David
On Tue, Jun 16, 2020 at 12:26 PM david <david at daku.org> wrote:> > Examples of what I've tried, and then tested. None of them stopped > an outgoing SSH from an internal system. > > iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP > iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP > > >which interface is that bound to? I don't see a -i eth0 or whatever, but you want that rule on your LAN interface. note these rules will also prevent any host on 10.0.0.0/24 from ssh'ing to the gateway machine itself. -- -john r pierce recycling used bits in santa cruz
Is your policy accept? It is possible to trace the packet through the netfilter path by setting up raw table rules with TRACE as the target and logging turned on (search the web for details - probably too much to post here) but be aware that you need a very controlled test because the syslog entries will likely be an order of magnitude greater than the actual packet count. ________________________________ From: CentOS <centos-bounces at centos.org> on behalf of david <david at daku.org> Sent: Tuesday, June 16, 2020 2:21 PM To: CentOS mailing list <centos at centos.org> Subject: [EXTERNAL] [CentOS] firewall help request CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Folks I'm struggling with my firewall settings, and would appreciate some help. I have a gateway machine (currently Centos 7 with IPV4 only) with two NICs. One is connected to the internet, the other to an internal network (10.0.0.0/24) of mixed hardware (windows7, android tablets, android phones, linux boxes) using NAT. I wish to block all outgoing connects to any external IP address on port 22 (ssh) originating from any internal machine except one (which has a known internal IP address). I've tried some commands using 'iptables' to accomplish this, but so far have failed. If anyone has a suggestion, I'd really appreciate it. In addition, a suitable version for 'firewalld' could be useful, as an upgrade to Centos 8 is in plan. Examples of what I've tried, and then tested. None of them stopped an outgoing SSH from an internal system. iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP Much thanks David _______________________________________________ CentOS mailing list CentOS at centos.org https://lists.centos.org/mailman/listinfo/centos Harriscomputer Leroy Tennison Network Information/Cyber Security Specialist E: leroy at datavoiceint.com [cid:Data-Voice-International-LOGO_aa3d1c6e-5cfb-451f-ba2c-af8059e69609.PNG] 2220 Bush Dr McKinney, Texas 75070 www.datavoiceint.com<http://www..com> This message has been sent on behalf of a company that is part of the Harris Operating Group of Constellation Software Inc. If you prefer not to be contacted by Harris Operating Group please notify us<http://subscribe.harriscomputer.com/>. This message is intended exclusively for the individual or entity to which it is addressed. This communication may contain information that is proprietary, privileged or confidential or otherwise legally exempt from disclosure. If you are not the named addressee, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this message in error, please notify the sender immediately by e-mail and delete all copies of the message.
At 12:30 PM 6/16/2020, John Pierce wrote:>On Tue, Jun 16, 2020 at 12:26 PM david <david at daku.org> wrote: > > > > > Examples of what I've tried, and then tested. None of them stopped > > an outgoing SSH from an internal system. > > > > iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP > > iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP > > > > > > >which interface is that bound to? I don't see a -i eth0 or whatever, but >you want that rule on your LAN interface. > >note these rules will also prevent any host on 10.0.0.0/24 from ssh'ing to >the gateway machine itself.At your suggestion, the command became iptables -I INPUT -p tcp --dport 22 -i enp3s0 -s 10.0.0.0/24 -j DROP where enp3s0 is the internal NIC with address 10.0.0.1. I'm assuming that your advice about LAN represents the internal network because on most routers, it is, and WAN is the internet connection. And ssh worked :-( unfortunately I know that many ISPs block outgoing port 25, so I know this is do-able. David
On Tue, 16 Jun 2020, Leroy Tennison wrote:> I have a gateway machine (currently Centos 7 with IPV4 only) with two > NICs. One is connected to the internet, the other to an internal > network (10.0.0.0/24) of mixed hardware (windows7, android tablets, > android phones, linux boxes) using NAT. I wish to block all outgoing > connects to any external IP address on port 22 (ssh) originating from > any internal machine except one (which has a known internal IP address). > > I've tried some commands using 'iptables' to accomplish this, but so > far have failed. If anyone has a suggestion, I'd really appreciate > it. In addition, a suitable version for 'firewalld' could be useful, > as an upgrade to Centos 8 is in plan. > > Examples of what I've tried, and then tested. None of them stopped > an outgoing SSH from an internal system. > > iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP > iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROPI'm not sure it's your INPUT table that needs that rule. I don't have any NAT machines for experimentation, but my initial hunch is that you'd want OUTPUT rules, e.g., iptables -A OUTPUT -p tcp --dport 22 -s ${GOODIP}/32 -j ACCEPT iptables -A OUTPUT -p tcp --dport 22 -s 10.0.0.0/24 -j REJECT -- Paul Heinlein heinlein at madboa.com 45?38' N, 122?6' W
The rule is in the wrong chain. The INPUT chain affects packets that terminate at the same machine. You want to block packets that will be passed on to the Internet, so your rule needs to be in the FORWARD chain. (The OUTPUT chain affects packets that originate at your machine.) Here's a nice collection of diagrams showing how packets flow through the system: <https://gist.github.com/nerdalert/a1687ae4da1cc44a437d>
At 03:47 PM 6/16/2020, Kenneth Porter wrote:>The rule is in the wrong chain. The INPUT chain affects packets that >terminate at the same machine. You want to block packets that will >be passed on to the Internet, so your rule needs to be in the >FORWARD chain. (The OUTPUT chain affects packets that originate at >your machine.) > >Here's a nice collection of diagrams showing how packets flow >through the system: > ><https://gist.github.com/nerdalert/a1687ae4da1cc44a437d>Ah ... Caught it. So here is the IPTABLES method to block output on port 22 from internal machines on a gateway: iptables -I FORWARD -p tcp --dport 22 -i {name-of-internal-interface} -j DROP So, for example, if your internal interface is, for example, /dev/enp2s0, you'd write iptables -I FORWARD -p tcp --dport 22 -i enp2s0 -j DROP If you want to log such attempts, preceed it with a log request. Since I'm using the -I command (insert at top), it means the log request is entered second: iptables -I FORWARD -p tcp --dport 22 -i {name-of-internal-interface} -j LOG --log-prefix "LOOK HERE" If someone can suggest a firewall-cmd equivalent, it would be nice. David in SF