Block outgoing connections on RHEL7/CentOS7 with firewalld?
Solution 1
I didn't find any option in that nice GUI, but it is possible via direct interface
To enable only outgoing port 80:
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -p tcp -m tcp --dport=80 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -j DROP
This will add it to permanent rules, not the runtime rules.
You will need to reload permanent rules so they become runtime rules.
firewall-cmd --reload
to display permanent rules
firewall-cmd --permanent --direct --get-all-rules
to display runtime rules
firewall-cmd --direct --get-all-rules
Solution 2
After asking the same question myself, and with some tinkering, I've gathered some nice rules for restricting outgoing traffic to HTTP/HTTPS and DNS queries:
Allow established connections:
# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -m state --state ESTABLISHED,RELATED -j ACCEPT
Allow HTTP:
# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --dport 80 -j ACCEPT
Allow HTTPS:
# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --dport 443 -j ACCEPT
Allow for DNS queries:
# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --dport 53 -j ACCEPT
# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -p udp --dport 53 -j ACCEPT
Deny everything else:
# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 2 -j DROP
It might be a good idea to test first by omitting the '--permanent' argument.
I am by no means an expert, but this seems to work fine by me :)
Solution 3
Concerning the GUI; I think you find this under "Direct Configuration". To access it you have to select it in "View". I could be wrong.
Side note
To delete rules; you have to exit and then reenter.
Related videos on Youtube
golem
Updated on September 18, 2022Comments
-
golem over 1 year
RHEL7/CentOS7 features a new
firewalld
firewall service, that replaces theiptables service
(both of which useiptables
tool to interact with kernel's Netfilter underneath).firewalld
can be easily tuned to block incoming traffic, but as noted by Thomas Woerner 1,5 years ago "limiting outgoing traffic is not possible with firewalld in a simple way at the moment". And as far as I can see the situation hasn't changed since then. Or has it? Is there any way to block outgoing traffic withfirewalld
? If not are there any other "standard" ways (on RHEL7 distro) of blocking outgoing traffic except manually adding rules throughiptables
tool? -
Casey over 6 yearsHow does one achieve this using the actual rich-rule language?
-
Rice over 6 years@Casey By my understanding, rich rules are strictly used for INPUT chains.
-
mwfearnley about 5 yearsI presume the above rules work only for
ipv4
(iptables). It may be desirable to have similar rules foripv6
(for ip6tables) oreb
(for ebtables). -
mwfearnley about 5 yearsAlso, this killed my SSH connection to the server! See user253068's answer for how to retain established connections.
-
mwfearnley about 5 yearsAt some point you may find it useful to remove the rules. Removing single direct rules seems tricky, but for a sledgehammer,
firewall-cmd [--permanent] --direct --remove-rules ipv4 filter OUTPUT
will do a bulk remove.