I’m fairly fluent in basic firewall operations with
iptables, but the
firewalld included in CentOS 7 is new to me. I’d gotten the firewalld-friendly version of
fail2ban working on a VM I manage. One remote host was pounding away on port 22/tcp; it was duly denied access for several minutes at a time, but it never took the hint and went away.
I finally decided just to drop all packets from the IP address completely. To do so, I had to spend some time in the man page for
firewall-cmd, the command-line interface to
If I were using iptables manually, here’s how I’d do it (using a fake IP address by way of example):
iptables -t filter -I INPUT -s 10.11.12.13/32 -j DROP
iptables-save on my host that’s running
firewalld, I saw that adding a rule to the INPUT chain on this host wasn’t a great option.
firewalld sets up a complex set of filters and chains pre-defined. I won’t go into the process by which I parsed the chains, but the short answer is that I wanted my DROP rule to be placed first in the chain called
So here’s the command I used:
firewall-cmd \ --direct \ --add-rule ipv4 filter INPUT_direct 0 -s 10.11.12.13/32 -j DROP
The only bit that might not be understood easily is the
0 that follows the
INPUT_direct chain name. It signifies the priority the rule should be given. Here it means “put it at the beginning of the chain.”
firewalld will forget this special rule the next time it’s restarted. I could have added the
--permanent option to ensure the rule sticks around after a reboot, but I’m hoping the remote host will get patched by its user and/or blocked by its hosting ISP by then.