block an ip with firewalld linux


Block Single Host with firewalld

By Paul Heinlein | Sep 1, 2014

I’m fairly fluent in basic firewall operations with iptables, but the firewalld included in CentOS 7 is new to me. I’d gotten the firewalld-friendly version of fail2ban working on a VM I manage. One remote host was pounding away on port 22/tcp; it was duly denied access for several minutes at a time, but it never took the hint and went away.

I finally decided just to drop all packets from the IP address completely. To do so, I had to spend some time in the man page for firewall-cmd, the command-line interface to firewalld.


If I were using iptables manually, here’s how I’d do it (using a fake IP address by way of example):

iptables -t filter -I INPUT -s -j DROP

Running iptables-save on my host that’s running firewalld, I saw that adding a rule to the INPUT chain on this host wasn’t a great option. firewalld sets up a complex set of filters and chains pre-defined. I won’t go into the process by which I parsed the chains, but the short answer is that I wanted my DROP rule to be placed first in the chain called INPUT_direct.

So here’s the command I used:

firewall-cmd \ --direct \ --add-rule ipv4 filter INPUT_direct 0 -s -j DROP

The only bit that might not be understood easily is the 0 that follows the INPUT_direct chain name. It signifies the priority the rule should be given. Here it means “put it at the beginning of the chain.”

Right now, firewalld will forget this special rule the next time it’s restarted. I could have added the --permanent option to ensure the rule sticks around after a reboot, but I’m hoping the remote host will get patched by its user and/or blocked by its hosting ISP by then.

2017-06-22 11:07:13gstlouis

using firewalld to remove a rich rule

  • it has the be identical as when you added it ex of the rule:
    • firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="" port protocol="tcp" port="25" reject'

  • change to:

    • firewall-cmd --permanent --zone=public --remove-rich-rule='rule family="ipv4" source address="" port protocol="tcp" port="25" reject'

  • looking at iptables -S you will see that the rule is still there.  However if you reload the firewalld it will be removed from the iptables list

    • firewalld-cmd --reload

2017-10-16 09:28:21

removing a port temporarly or permanently

Assuming you already have port 10000 open and want to close it temporarly to test things.  The below rule will block the port until it is reloaded with firewalld-cmd --reload

  • firewall-cmd --zone=public --remove-port=10000/tcp

a permanent block is simply.  After, apply the firewalld-cmd --reload to ensure it will be applied permanently

  • firewall-cmd --zone=public --remove-port=12345/tcp --permanent

2018-03-04 11:28:51

show all rules

firewall-cmd --list-all

2018-03-04 16:29:29