Blocking IP with Firewalld

lapthorn · 08-03-2016, 04:31 PM

Ive recently updated my home server from Centos 6 to 7 and am now using firewalld. As far as I can tell my firewalld configuration is correct and everything works as expected.

My problem is locking IP address' typically this will be my children's phones/tablets/consoles at bedtime.

I have attempted to use rich rules and direct rules both have the same outcome.

In my example I'm blocking a phone using rich rules

firewall-cmd --zone=trusted --remove-rich-rule="rule family='ipv4' source address='192.168.10.30' drop"

All connections appear to be succesfully dropped, however if watching netflix then whatever is being watched continues, its only when you try and skip to another part of what your watching the rule kicks in and the connection is dropped.

Exactly the same when using direct rules:

firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -s 192.168.10.30/32 -j DROP

Ideally I want this established connection to also be dropped when I invoke this rule.

Anyone have any ideas or where I could go to get more information.

It used to work fine with iptables on Centos 6

Rinndalir · 08-03-2016, 05:03 PM

Impose an electronic curfew. At 10 p.m. every night your devices need to be right here. Make a place where they can charge them
overnight.

fred2014 · 08-04-2016, 05:12 AM

On the other hand it is a very good point -
there are options in iptables to enabled timed
firewalling (try man iptables ) but I'm not
very experienced with iptables
the man pages list --timestart etc. so presumable iptables
would interrupt and stop a connection

It would be odd if centos7 removed the ability to do something
so fundamental - try yahoo centos forum and man pages

Rinndalir · 08-04-2016, 02:02 PM

Go look at a distro that uses ip tables for the firewall. Then look at their rules.

You also can just put in a rule to block netflix incoming.

lazydog · 08-04-2016, 02:32 PM

The problem I believe you are having is dropping established connected sessions. If the firewall is a STATEFUL firewall then it is not going to be possible. But if it is STATELESS then the rules should kick in when applied. I think that firewalld is STATEFUL so you would have to change the way it works in order to do what you want.

Seeing how I dropped firewalld in favor of IPTABLES (which firewalld uses anyway) I'm not sure about the rules it creates.
Could you possible save your firewall rules with the following and then paste them?

Code:

sudo iptables-save >> iptables.rules

I'm looking to see if it is using established,related rules.

JJJCR · 08-07-2016, 10:24 PM

Quote:

firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.0.11' reject"

Text above from this link: https://access.redhat.com/discussions/1342573

ihaveavirus · 08-08-2016, 10:38 AM

When using rich rules you can get really fine grain with what you want to do. If you have your childrens' devices on a seperate subnet, you could just block all hosts on that subnet with the following:

firewall-cmd --zone=trusted --add-rich-rule='rule family="ipv4" source address="192.168.10.0/32" drop'

Followed by a reload (firewall-cmd --reload). If you want this to be something that runs every evening for a set period of time you could throw it in a script and have a cron job run it at a certain time every night and then have the reverse done in the morning or whenever you specify.

If you want to block specific ports you can do so with the following:

firewall-cmd --zone=trusted --add-rich-rule='rule family="ipv4" source address="192.168.10.0/32" port port=443 protocol=tcp drop'

Ensure you always do a reload and your firewall rule is assigned to the appropriate zone and interface that your childrens' device traffic is coming in on. Firewalld was designed to alleviate the user unfriendly IP tables syntax and it does so quite well. For further information:

https://fedoraproject.org/wiki/Featu...rule_structure

I used the above link a ton when I was first learning how to use rich rules.

pingu_penguin · 08-10-2016, 09:01 AM

I agree with ihaveavirus's idea. Just add a cron entry for 10:00 pm for a script

script could be as simple as :

#restart network service
#firewalld rule to block ip/subnet

I propose a simple network restart since that would kill all existing connections.

lazydog · 08-10-2016, 12:53 PM

Quote:

Originally Posted by pingu_penguin

I agree with ihaveavirus's idea. Just add a cron entry for 10:00 pm for a script

script could be as simple as :

#restart network service
#firewalld rule to block ip/subnet

I propose a simple network restart since that would kill all existing connections.

I would suggest this script work in reverse order meaning the firewall rule should be added first the the interface restarted.

Instead of restarting the interface I would use conntrack to remove the connections you don't want? That way connection that you still want to be made will continue to work without interruptions.

lapthorn · 08-11-2016, 05:06 AM

I'll try with conntrack and let you know the results; I'll create a script that creates the rich rule and then removes all the established connections:

firewall-cmd --zone=trusted --add-rich-rule='rule family="ipv4" source address="192.168.10.40/32" drop'
conntrack -D -s 192.168.10.42

Thanks for all your help so far!

lapthorn · 08-12-2016, 07:15 AM

Worked!!!

firewall-cmd --zone=trusted --add-rich-rule='rule family="ipv4" source address="192.168.10.42/32" drop'
conntrack -D -s 192.168.10.42

Removed all established connections and preventing anymore being created form his IP in the "trusted" zone!

lazydog · 08-13-2016, 09:34 AM

Glad I could help.