LinuxQuestions.org
Help answer threads with 0 replies.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > CentOS
Reload this Page [SOLVED] Firewalld drop/block large ip address range
User Name
Password
CentOS This forum is for the discussion of CentOS Linux. Note: This forum does not have any official participation.

Notices


Reply
  Search this Thread
Old 01-27-2017, 02:24 PM   #1
Sum1
Member
 
Registered: Jul 2007
Distribution: Fedora, CentOS, and would like to get back to Gentoo
Posts: 332

Rep: Reputation: 30
Firewalld drop/block large ip address range

CentOS 7

When I execute this drop rule with firewalld: firewall-cmd --zone=external --permanent --add-rich-rule='rule family="ipv4" source address="116.0.0.0/8" drop' ---- It isn't reported in iptables -nvL

But if I block a smaller address range: firewall-cmd --zone=external --permanent --add-rich-rule='rule family="ipv4" source address="116.31.0.0/16" drop' --- this will be listed in iptables -nvL

Code:
Chain IN_external_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 2605  156K DROP       all  --  *      *       116.31.0.0/16        0.0.0.0/0
Is there a firewalld/iptables range limit to public internet address blocking?
 
Old 01-27-2017, 02:35 PM   #2
Sum1
Member
 
Registered: Jul 2007
Distribution: Fedora, CentOS, and would like to get back to Gentoo
Posts: 332

Original Poster
Rep: Reputation: 30
Thumbs up
Snagged again by my own lack of RTFM ----

The behavior is explained in the man page:

Code:
Permanent Options
       --permanent
       . . . These changes are not effective immediately, only after service restart/reload or system reboot. Without the --permanent
           option, a change will only be part of the runtime configuration.
firewall-cmd --complete-reload
and now iptables -nvL reports all xxx.0.0.0/8 drops and blocks.
 
Old 01-27-2017, 02:38 PM   #3
szboardstretcher
Senior Member
 
Registered: Aug 2006
Location: Detroit, MI
Distribution: GNU/Linux systemd
Posts: 4,278

Rep: Reputation: 1694Reputation: 1694Reputation: 1694Reputation: 1694Reputation: 1694Reputation: 1694Reputation: 1694Reputation: 1694Reputation: 1694Reputation: 1694Reputation: 1694
You can just do a --reload if you don't want to lose connections. --complete-reload will dump the states.
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Firewalld - enable IP range vmxes Linux - Security 1 06-06-2016 03:04 AM
[SOLVED] firewalld block ip ranging but allow single ip packetsmacker Linux - Security 7 01-28-2016 02:14 PM
Block incoming IPv6 access to LAN clients with firewalld? n0xlf Linux - Networking 2 09-12-2014 08:23 PM
How to Drop or Block Incoming Access From Specific IP Address Using Iptables jaydul Linux - Newbie 1 10-17-2013 09:10 PM
IP Tables, How to block range of ip address from ip table gash Linux - Software 4 05-31-2012 08:05 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > CentOS

All times are GMT -5. The time now is 03:27 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration