LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-03-2016, 04:31 PM   #1
lapthorn
Member
 
Registered: Jul 2003
Location: Reading
Distribution: Red Hat
Posts: 89

Rep: Reputation: 16
Blocking IP with Firewalld


Ive recently updated my home server from Centos 6 to 7 and am now using firewalld. As far as I can tell my firewalld configuration is correct and everything works as expected.

My problem is locking IP address' typically this will be my children's phones/tablets/consoles at bedtime.

I have attempted to use rich rules and direct rules both have the same outcome.

In my example I'm blocking a phone using rich rules

firewall-cmd --zone=trusted --remove-rich-rule="rule family='ipv4' source address='192.168.10.30' drop"

All connections appear to be succesfully dropped, however if watching netflix then whatever is being watched continues, its only when you try and skip to another part of what your watching the rule kicks in and the connection is dropped.

Exactly the same when using direct rules:

firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -s 192.168.10.30/32 -j DROP

Ideally I want this established connection to also be dropped when I invoke this rule.


Anyone have any ideas or where I could go to get more information.


It used to work fine with iptables on Centos 6
 
Old 08-03-2016, 05:03 PM   #2
Rinndalir
Member
 
Registered: Sep 2015
Posts: 733

Rep: Reputation: Disabled
Impose an electronic curfew. At 10 p.m. every night your devices need to be right here. Make a place where they can charge them
overnight.
 
Old 08-04-2016, 05:12 AM   #3
fred2014
Member
 
Registered: Mar 2015
Posts: 70

Rep: Reputation: Disabled
On the other hand it is a very good point -
there are options in iptables to enabled timed
firewalling (try man iptables ) but I'm not
very experienced with iptables
the man pages list --timestart etc. so presumable iptables
would interrupt and stop a connection

It would be odd if centos7 removed the ability to do something
so fundamental - try yahoo centos forum and man pages
 
Old 08-04-2016, 02:02 PM   #4
Rinndalir
Member
 
Registered: Sep 2015
Posts: 733

Rep: Reputation: Disabled
Go look at a distro that uses ip tables for the firewall. Then look at their rules.

You also can just put in a rule to block netflix incoming.
 
Old 08-04-2016, 02:32 PM   #5
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,249
Blog Entries: 3

Rep: Reputation: 194Reputation: 194
The problem I believe you are having is dropping established connected sessions. If the firewall is a STATEFUL firewall then it is not going to be possible. But if it is STATELESS then the rules should kick in when applied. I think that firewalld is STATEFUL so you would have to change the way it works in order to do what you want.

Seeing how I dropped firewalld in favor of IPTABLES (which firewalld uses anyway) I'm not sure about the rules it creates.
Could you possible save your firewall rules with the following and then paste them?

Code:
sudo iptables-save >> iptables.rules
I'm looking to see if it is using established,related rules.
 
Old 08-07-2016, 10:24 PM   #6
JJJCR
Senior Member
 
Registered: Apr 2010
Posts: 1,850

Rep: Reputation: 337Reputation: 337Reputation: 337Reputation: 337
Quote:
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.0.11' reject"
Text above from this link: https://access.redhat.com/discussions/1342573
 
Old 08-08-2016, 10:38 AM   #7
ihaveavirus
LQ Newbie
 
Registered: Jul 2016
Distribution: RHEL
Posts: 22

Rep: Reputation: Disabled
When using rich rules you can get really fine grain with what you want to do. If you have your childrens' devices on a seperate subnet, you could just block all hosts on that subnet with the following:

firewall-cmd --zone=trusted --add-rich-rule='rule family="ipv4" source address="192.168.10.0/32" drop'

Followed by a reload (firewall-cmd --reload). If you want this to be something that runs every evening for a set period of time you could throw it in a script and have a cron job run it at a certain time every night and then have the reverse done in the morning or whenever you specify.

If you want to block specific ports you can do so with the following:

firewall-cmd --zone=trusted --add-rich-rule='rule family="ipv4" source address="192.168.10.0/32" port port=443 protocol=tcp drop'

Ensure you always do a reload and your firewall rule is assigned to the appropriate zone and interface that your childrens' device traffic is coming in on. Firewalld was designed to alleviate the user unfriendly IP tables syntax and it does so quite well. For further information:

https://fedoraproject.org/wiki/Featu...rule_structure

I used the above link a ton when I was first learning how to use rich rules.
 
Old 08-10-2016, 09:01 AM   #8
pingu_penguin
Member
 
Registered: Aug 2004
Distribution: Manjaro Linux
Posts: 291

Rep: Reputation: 57
I agree with ihaveavirus's idea. Just add a cron entry for 10:00 pm for a script

script could be as simple as :

#restart network service
#firewalld rule to block ip/subnet

I propose a simple network restart since that would kill all existing connections.
 
1 members found this post helpful.
Old 08-10-2016, 12:53 PM   #9
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,249
Blog Entries: 3

Rep: Reputation: 194Reputation: 194
Quote:
Originally Posted by pingu_penguin View Post
I agree with ihaveavirus's idea. Just add a cron entry for 10:00 pm for a script

script could be as simple as :

#restart network service
#firewalld rule to block ip/subnet

I propose a simple network restart since that would kill all existing connections.
I would suggest this script work in reverse order meaning the firewall rule should be added first the the interface restarted.

Instead of restarting the interface I would use conntrack to remove the connections you don't want? That way connection that you still want to be made will continue to work without interruptions.
 
2 members found this post helpful.
Old 08-11-2016, 05:06 AM   #10
lapthorn
Member
 
Registered: Jul 2003
Location: Reading
Distribution: Red Hat
Posts: 89

Original Poster
Rep: Reputation: 16
I'll try with conntrack and let you know the results; I'll create a script that creates the rich rule and then removes all the established connections:

firewall-cmd --zone=trusted --add-rich-rule='rule family="ipv4" source address="192.168.10.40/32" drop'
conntrack -D -s 192.168.10.42

Thanks for all your help so far!
 
Old 08-12-2016, 07:15 AM   #11
lapthorn
Member
 
Registered: Jul 2003
Location: Reading
Distribution: Red Hat
Posts: 89

Original Poster
Rep: Reputation: 16
Worked!!!

firewall-cmd --zone=trusted --add-rich-rule='rule family="ipv4" source address="192.168.10.42/32" drop'
conntrack -D -s 192.168.10.42

Removed all established connections and preventing anymore being created form his IP in the "trusted" zone!
 
1 members found this post helpful.
Old 08-13-2016, 09:34 AM   #12
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,249
Blog Entries: 3

Rep: Reputation: 194Reputation: 194
Glad I could help.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Firewalld not blocking incoming requests vmxes Linux - Security 5 06-07-2016 03:24 AM
firewalld confusion packetsmacker Linux - Security 1 01-28-2016 01:11 PM
RHEL7 firewalld. dpu Red Hat 5 06-23-2014 09:12 AM
firewalld sunveer Fedora 1 02-03-2013 03:41 PM
[SOLVED] blocking and non blocking TCP send/recv problem golden_boy615 Programming 5 12-27-2010 03:27 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:18 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration