Join Log in
Score:0
Joe avatar Server

debian as gatway block port from ip

cn flag
Joe

I have a number of public ips behind a debian router connected to vms. I want a specific ip not to be able to use port 25 outgoing.

I have tried /sbin/iptables -A OUTPUT -o ens19 -p tcp --destination-port 25 -s xxx.xxx.xxx.xxx -j DROP along with several other combinations of command but I cannot get it to work. It will block outgoing ports on the router fine but not for systems behind it.

41
1 + 1
ufw
in flag
NiKiZe
Does any outgoing traffic from the servers also go thru your deb router? `iptables -A FORWARD -p tcp --destination-port 25 -s xxx.xxx.xxx.xxx -j DROP` Note FORWARD and no -o
0
Reply
Score:1
avatar Server
in flag
NiKiZe

OUTPUT is from the machine itself, to block forwarded traffic you need FORWARD as in:

iptables -A FORWARD -p tcp --dport 25 -s xxx.xxx.xxx.xxx -j DROP

Also skipping -o ens since you probably want to block port 25 from that IP, regardless of which interface it goes out on, and also that there is several places in the tables that some information is not available, the less specification, the less that can go wrong.

0 + 9
Joe avatar
cn flag
Joe
I have just tried this but it does not seem to be blocking it.My default forward policy is to accept?
0
Reply
in flag
NiKiZe
First you might actually want to check that any traffic out actually passes thru your router, also check your rules and that you don't have any other rule before this one.
0
Reply
Joe avatar
cn flag
Joe
It has to go through that router to reach the wider internet. The paste is the result of iptables -L https://pastebin.com/BmLARLBb (I have been testing it with port 80 to make sure the rule is working).
0
Reply
in flag
NiKiZe
`iptables -vnL` try to find a rule that get's hit, such as `iptables -A FORWARD -s x.x.x.x -j ACCEPT`
0
Reply
Joe avatar
cn flag
Joe
-vnl generates virtually the same result. https://pastebin.com/bKGgGzpw the forward setting was made by editing the /etc/sysctl.conf file not within iptables.
0
Reply
Joe avatar
cn flag
Joe
With the extra forward rule it does show as handling data. https://pastebin.com/LzQR3azw
0
Reply
Joe avatar
cn flag
Joe
I think I have fixed it. Rather than --dport I have changed it to --sport.
0
Reply
in flag
NiKiZe
`--sport` is the source port, that does not really make sense, sport is in most cases random, Are you sure you are trying to block in the right direction?
0
Reply
Joe avatar
cn flag
Joe
Does --sport blocking in the outgoing or incoming direction? Dport just didn't do anything.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.