Blocked outbound SSH port to prevent bad guy

[ggsmarket]

Hi,

I am having problem with NAT setting of vmbr0 and vmbr1.

Some bad guys are always using my network to scan or attack someone.

Is there any way to prevent or check it ?

My NAT setting :

post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 59999 -j DNAT --to 192.168.0.225:3389
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 59999 -j DNAT --to 192.168.0.225:3389

VM firewall rule

[RULES]
[OPTIONS]
# enable firewall (cluster wide setting, default is disabled)
enable: 1

OUT SSH(REJECT) -i net0 -source 192.168.0.225
OUT SSH(DROP) -i net0 -source 192.168.0.225

Cluster firewall rule

[RULES]
[OPTIONS]
# enable firewall (cluster wide setting, default is disabled)
enable: 1

OUT SSH(REJECT) -i vmbr1
OUT SSH(REJECT) -i vmbr0
OUT SSH(DROP) -i vmbr0
OUT SSH(DROP) -i vmbr1

 

[Richard]

Hi,

I am having problem with NAT setting of vmbr0 and vmbr1.

Some bad guys are always using my network to scan or attack someone.

What does this mean exactly? Somebody in your local network misuses it in order to do ugly things somewhere external? Or is it an attack from outside into your network?

What in particular you want to prevent, i.e. from which endpoint (VM, IP address etc.) to which one?

Is there any way to prevent or check it ?

Probably yes - but you have to know the above details.

VM firewall rule

[RULES]
[OPTIONS]
# enable firewall (cluster wide setting, default is disabled)
enable: 1

OUT SSH(REJECT) -i net0 -source 192.168.0.225
OUT SSH(DROP) -i net0 -source 192.168.0.225

Cluster firewall rule

[RULES]
[OPTIONS]
# enable firewall (cluster wide setting, default is disabled)
enable: 1

OUT SSH(REJECT) -i vmbr1
OUT SSH(REJECT) -i vmbr0
OUT SSH(DROP) -i vmbr0
OUT SSH(DROP) -i vmbr1

These rules reject ssh (destination port 22) outbound, everything else (outbound) is possible.

Moreover, the rules have only effect as soon as "firewall enabled" is set for the virtual NICs too.