drop ip blacklist with firewalld centos 7
The best way to manage firewall rules with large numbers of IP-addresses remains with ipset
.
Then create a set of ip-addresses:
ipset create blacklist hash:ip hashsize 4096
and add each of the ip-addresses you need to block:
ipset add blacklist 192.168.0.5
ipset add blacklist 192.168.0.100
ipset add blacklist 192.168.0.220
AFAIK firewalld does not yet have a API method for adding the required iptables rule that works on the match module so you're going to end up doing something slightly ugly like this, I think:
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -m set --match-set blacklist src -j DROP
instead of the usual iptables -I INPUT -m set --match-set blacklist src -j DROP
you would have done without firewalld.
Related videos on Youtube
MikZuit
Updated on September 18, 2022Comments
-
MikZuit over 1 year
Question 1
I have I very long list 1500+ ips in a file lets say /etc/blocklist.ips each ip in a line of the file. How can I DROP for every ip in the file with firewalld from centos 7 ? also I been looking there are .xml files in /firewald folder so this mean that I should create my blocklist in a .xml file?
Question 2
beeing Firewalld stopped doens't mean rules created with firewalld are not working on iptables right?
Question 3
Flushing iptables will also delete everything on firewalld?
-
HBruijn about 9 yearsThank you for posting on ServerFault. Getting good answers requires the effort of writing a good question and as it stands now yours is three, albeit somewhat related, questions in one, making it slightly difficult to provide you with a quality answer.
-