LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > CentOS
User Name
Password
CentOS This forum is for the discussion of CentOS Linux. Note: This forum does not have any official participation.

Notices


Reply
  Search this Thread
Old 01-27-2017, 02:24 PM   #1
Sum1
Member
 
Registered: Jul 2007
Distribution: CentOS and Slackware and Gentoo
Posts: 309

Rep: Reputation: 27
Firewalld drop/block large ip address range


CentOS 7

When I execute this drop rule with firewalld: firewall-cmd --zone=external --permanent --add-rich-rule='rule family="ipv4" source address="116.0.0.0/8" drop' ---- It isn't reported in iptables -nvL

But if I block a smaller address range: firewall-cmd --zone=external --permanent --add-rich-rule='rule family="ipv4" source address="116.31.0.0/16" drop' --- this will be listed in iptables -nvL

Code:
Chain IN_external_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 2605  156K DROP       all  --  *      *       116.31.0.0/16        0.0.0.0/0
Is there a firewalld/iptables range limit to public internet address blocking?
 
Old 01-27-2017, 02:35 PM   #2
Sum1
Member
 
Registered: Jul 2007
Distribution: CentOS and Slackware and Gentoo
Posts: 309

Original Poster
Rep: Reputation: 27
Thumbs up

Snagged again by my own lack of RTFM ----

The behavior is explained in the man page:

Code:
Permanent Options
       --permanent
       . . . These changes are not effective immediately, only after service restart/reload or system reboot. Without the --permanent
           option, a change will only be part of the runtime configuration.
firewall-cmd --complete-reload
and now iptables -nvL reports all xxx.0.0.0/8 drops and blocks.
 
Old 01-27-2017, 02:38 PM   #3
szboardstretcher
Senior Member
 
Registered: Aug 2006
Location: Detroit, MI
Distribution: GNU/Linux systemd
Posts: 4,237

Rep: Reputation: 1649Reputation: 1649Reputation: 1649Reputation: 1649Reputation: 1649Reputation: 1649Reputation: 1649Reputation: 1649Reputation: 1649Reputation: 1649Reputation: 1649
You can just do a --reload if you don't want to lose connections. --complete-reload will dump the states.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Firewalld - enable IP range vmxes Linux - Security 1 06-06-2016 03:04 AM
[SOLVED] firewalld block ip ranging but allow single ip packetsmacker Linux - Security 7 01-28-2016 02:14 PM
Block incoming IPv6 access to LAN clients with firewalld? n0xlf Linux - Networking 2 09-12-2014 08:23 PM
How to Drop or Block Incoming Access From Specific IP Address Using Iptables jaydul Linux - Newbie 1 10-17-2013 09:10 PM
IP Tables, How to block range of ip address from ip table gash Linux - Software 4 05-31-2012 08:05 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > CentOS

All times are GMT -5. The time now is 07:13 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration