0

I have a number of public ips behind a debian router connected to vms. I want a specific ip not to be able to use port 25 outgoing.

I have tried /sbin/iptables -A OUTPUT -o ens19 -p tcp --destination-port 25 -s xxx.xxx.xxx.xxx -j DROP along with several other combinations of command but I cannot get it to work. It will block outgoing ports on the router fine but not for systems behind it.

Joe
  • 1
  • Does any outgoing traffic from the servers also go thru your deb router? `iptables -A FORWARD -p tcp --destination-port 25 -s xxx.xxx.xxx.xxx -j DROP` Note FORWARD and no -o – NiKiZe Aug 04 '21 at 15:00

1 Answers1

1

OUTPUT is from the machine itself, to block forwarded traffic you need FORWARD as in:

iptables -A FORWARD -p tcp --dport 25 -s xxx.xxx.xxx.xxx -j DROP

Also skipping -o ens since you probably want to block port 25 from that IP, regardless of which interface it goes out on, and also that there is several places in the tables that some information is not available, the less specification, the less that can go wrong.

NiKiZe
  • 1,246
  • 8
  • 20
  • I have just tried this but it does not seem to be blocking it.My default forward policy is to accept? – Joe Aug 04 '21 at 15:37
  • First you might actually want to check that any traffic out actually passes thru your router, also check your rules and that you don't have any other rule before this one. – NiKiZe Aug 04 '21 at 16:06
  • It has to go through that router to reach the wider internet. The paste is the result of iptables -L https://pastebin.com/BmLARLBb (I have been testing it with port 80 to make sure the rule is working). – Joe Aug 04 '21 at 16:58
  • `iptables -vnL` try to find a rule that get's hit, such as `iptables -A FORWARD -s x.x.x.x -j ACCEPT` – NiKiZe Aug 04 '21 at 17:04
  • -vnl generates virtually the same result. https://pastebin.com/bKGgGzpw the forward setting was made by editing the /etc/sysctl.conf file not within iptables. – Joe Aug 04 '21 at 17:08
  • With the extra forward rule it does show as handling data. https://pastebin.com/LzQR3azw – Joe Aug 04 '21 at 17:24
  • I think I have fixed it. Rather than --dport I have changed it to --sport. – Joe Aug 04 '21 at 17:46
  • `--sport` is the source port, that does not really make sense, sport is in most cases random, Are you sure you are trying to block in the right direction? – NiKiZe Aug 04 '21 at 18:57
  • Does --sport blocking in the outgoing or incoming direction? Dport just didn't do anything. – Joe Aug 04 '21 at 19:19