[SOLVED] Drop/Terminate data to/from source using firewalld rich rules
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Fedora, CentOS, and would like to get back to Gentoo
Posts: 332
Rep:
Drop/Terminate data to/from source using firewalld rich rules
The Problem:
Users have legitimate complaints about intermittent network slow-downs:
- accessing internet sites, load-times of web pages, etc.
- network dependent apps are slow to produce reports and/or search results
Users say “Do something about it. Solve it.” They want to do their jobs and get on with life. Ok.
The company has no formal policies regarding use of internet services and I’m far past the point of making judgments about the use of dropbox, bittorrent, media streaming, etc.
All I want is the power to temporarily cut off the source of the network slowdown when it happens.
What I used to do:
Router with 2 x NICs running slackware 14.
Execute iptraf-ng, choose IP Network Monitor and sort by Byte Count.
The sorted screen always seemed a bit confusing but I could usually pluck a couple of IP addresses with racing byte counts and cut all traffic to them using an iptables rule.
Then if I wanted to identify the computer or device, I’d go into the dhcpd.leases file and look for the ip address and the corresponding device hostname.
It was a bit of a pain, but it worked.
Now:
Router with 2 x NIC’s running CentOS 7.
Using systemd and firewalld with 2 zones: external (internet-facing) and internal (LAN-facing).
Now when I try the same thing using firewall-cmd rich rules, it won’t work.
Example:
[root@hello ~]# firewall-cmd --zone=external --list-rich-rules
rule family="ipv4" source address="10.10.1.73/24" drop
rule family="ipv4" source address="40.97.126.210" drop
rule family="ipv4" source address="10.10.1.73/32" drop
rule family="ipv4" source address="40.97.126.210/32" drop
and
[root@hello ~]# firewall-cmd --zone=internal --list-rich-rules
rule family="ipv4" source address="10.10.1.73/24" drop
rule family="ipv4" source address="40.97.126.210" drop
rule family="ipv4" source address="10.10.1.73/32" drop
It didn’t work. The traffic continued to burst away for another hour before stopping.
The address (40.97.126.210) belongs to Microsoft so I’m not concerned about publishing it.
1. What am I doing wrong with firewalld rich rules and how do I properly drop/terminate traffic to/from a specific source on the LAN?
Current command -
ADD rich rule to drop any traffic in zone "internal" from source ip address 10.10.1.125:
2. Is there better open source network monitoring software I should look at for installation on the router?
Something that will improve identification of individual host bandwidth use including ports, ip addresses, and host names? I’m willing to take on some learning curve in the short-term to make my network life better over the long-term.
I'm no expert, but I think adding a rule after a connection has been made doesn't affect the connection; just works on future connections.
-OR-
adding a rule with --permanent doesn't affect the current connection.
I don't know which. My current script to block an IP is:
but I run that to block future attempts, not to kill current connections.
Ahh. From the man page:
Code:
--permanent
The permanent option --permanent can be used to set options permanently. These changes are not effective immediately, only after service restart/reload or system reboot. Without the --permanent option, a change
will only be part of the runtime configuration.
If you want to make a change in runtime and permanent configuration, use the same call with and without the --permanent option.
Distribution: Fedora, CentOS, and would like to get back to Gentoo
Posts: 332
Original Poster
Rep:
Perhaps this is the thing I need to try next -
Code:
--complete-reload
Reload firewall completely, even netfilter kernel modules. This will most likely terminate active connections, because state information is lost. This option should only be used in case of
severe firewall problems. For example if there are state information problems that no connection can be established with correct firewall rules.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
