Block Single Host with firewalld

By Paul Heinlein | Sep 1, 2014

I’m fairly fluent in basic firewall operations with iptables, but the firewalld included in CentOS 7 is new to me. I’d gotten the firewalld-friendly version of fail2ban working on a VM I manage. One remote host was pounding away on port 22/tcp; it was duly denied access for several minutes at a time, but it never took the hint and went away.

I finally decided just to drop all packets from the IP address completely. To do so, I had to spend some time in the man page for firewall-cmd, the command-line interface to firewalld.

If I were using iptables manually, here’s how I’d do it (using a fake IP address by way of example):

iptables -t filter -I INPUT -s 10.11.12.13/32 -j DROP

Running iptables-save on my host that’s running firewalld, I saw that adding a rule to the INPUT chain on this host wasn’t a great option. firewalld sets up a complex set of filters and chains pre-defined. I won’t go into the process by which I parsed the chains, but the short answer is that I wanted my DROP rule to be placed first in the chain called INPUT_direct.

So here’s the command I used:

firewall-cmd \
  --direct \
  --add-rule ipv4 filter INPUT_direct 0 -s 10.11.12.13/32 -j DROP

The only bit that might not be understood easily is the 0 that follows the INPUT_direct chain name. It signifies the priority the rule should be given. Here it means “put it at the beginning of the chain.”

Right now, firewalld will forget this special rule the next time it’s restarted. I could have added the --permanent option to ensure the rule sticks around after a reboot, but I’m hoping the remote host will get patched by its user and/or blocked by its hosting ISP by then.