block an ip with firewalld linux
Block Single Host with firewalld
By Paul Heinlein | Sep 1, 2014
I’m fairly fluent in basic firewall operations with iptables, but the firewalld included in CentOS 7 is new to me. I’d gotten the firewalld-friendly version of fail2ban working on a VM I manage. One remote host was pounding away on port 22/tcp; it was duly denied access for several minutes at a time, but it never took the hint and went away.
I finally decided just to drop all packets from the IP address completely. To do so, I had to spend some time in the man page for firewall-cmd, the command-line interface to firewalld.
If I were using iptables manually, here’s how I’d do it (using a fake IP address by way of example):
iptables -t filter -I INPUT -s 10.11.12.13/32 -j DROP
Running iptables-save on my host that’s running firewalld, I saw that adding a rule to the INPUT chain on this host wasn’t a great option. firewalld sets up a complex set of filters and chains pre-defined. I won’t go into the process by which I parsed the chains, but the short answer is that I wanted my DROP rule to be placed first in the chain called INPUT_direct.
So here’s the command I used:
firewall-cmd \ --direct \ --add-rule ipv4 filter INPUT_direct 0 -s 10.11.12.13/32 -j DROP
The only bit that might not be understood easily is the 0 that follows the INPUT_direct chain name. It signifies the priority the rule should be given. Here it means “put it at the beginning of the chain.”
Right now, firewalld will forget this special rule the next time it’s restarted. I could have added the --permanent option to ensure the rule sticks around after a reboot, but I’m hoping the remote host will get patched by its user and/or blocked by its hosting ISP by then.
using firewalld to remove a rich rule
removing a port temporarly or permanently
Assuming you already have port 10000 open and want to close it temporarly to test things. The below rule will block the port until it is reloaded with firewalld-cmd --reload
a permanent block is simply. After, apply the firewalld-cmd --reload to ensure it will be applied permanently
show all rules