Why firewalld doesn't apply my drop rule?
14,228
I had the same/similar issues. After hours of troubleshooting, I have the following observations.
The order of the iptables rule chain (for 'public' zone) is:
IN_public_log
IN_public_deny
IN_public_allow
Which means that 'deny' rules are processed before 'allow' rules - so this is significant in understanding what order the rules are matched. I don't know whether this order can be changed.
I came across the same issue in that issuing a firewalld-cmd --reload did not seem to impact whether the SIP packets gets dropped or accepted, but a reboot resolved it.
However, I found the firewalld-cmd --complete-reload command and that seems to be working better - although I think this will drop any existing sessions. But at least I can get the firewalld rules changed and not have to reboot to get it to fully/properly apply.
I have also noticed that sngrep still seem to be able to capture and display the SIP message even though it is blocked, but it shows it with a msg count of 1 and there is no response message (because it was actually blocked).
UPDATE: I understand sngrep (since 0.1.0) uses libpcap - see https://github.com/irontec/sngrep/wiki. According to this post libpcap process the (inbound) packets before they get process by the 'firewall'. I assume 'firewall' in this case can also mean firewalld. See Will tcpdump see packets that are being dropped by iptables?
Note: CentOS 7 seems to come with firewalld version 0.4.4.4. The latest is 0.6.0, but I don't know how to upgrade it yet. I'm hoping the newer versions may resolve/fix the above issues.
Related videos on Youtube
10 : 17
Setting up FirewallD on CentOS 7 How-to Video Tutorial
10 : 07
Introduction to firewalld
26 : 00
RHCSA Tip of the Week - Firewalld and iptables
15 : 36
Linux firewalld config examples
22 : 45
Demystifying firewalld
Author by
Sara
Updated on September 18, 2022Comments
-
Sara over 1 year
In centos 7 I want to block traffic from a source IP (example 3.3.3.3) and for that I apply the following rule:
# firewall-cmd --permanent --zone=drop --add-source=3.3.3.0/24 # firewall-cmd --reloadAfter that command I checked that my rule applies by:
firewall-cmd --list-all --zone=drop drop (active) target: DROP icmp-block-inversion: no interfaces: sources: 3.3.3.0/24 services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:Here you can see the output of all the other active rules:
firewall-cmd --list-all --zone=public public (active) target: default icmp-block-inversion: no interfaces: eno4 sources: services: dhcpv6-client ssh ports: 5060/udp 16384-32768/udp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: firewall-cmd --list-all --zone=internal internal (active) target: default icmp-block-inversion: no interfaces: eno1 sources: services: mdns dhcpv6-client samba-client ssh ports: 80/tcp 60024/tcp 5080/udp 8080/tcp 5060/tcp 161/udp 5080/tcp 5060/udp 16384-32768/udp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:In the route table the public zone is listed in that one which routes traffic for 3.3.3.0/24.
ip route default via 1.1.1.1 dev eno4 10.1.1.0/24 via 10.1.1.1 dev eno1So that rule is applying, but I still get traffic (UDP) from this source IP on a listen Port (5060) on my centos machine. What is wrong with my rule?
UPDATE as Michael mentioned there is an output of iptables -nvL
iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 46M 33G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 53342 3122K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 315K 35M INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0 315K 35M INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 315K 35M INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0 85 3916 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 1908 87293 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 FORWARD_IN_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 FORWARD_OUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 46M packets, 21G bytes) pkts bytes target prot opt in out source destination 46M 21G OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD_IN_ZONES (1 references) pkts bytes target prot opt in out source destination 0 0 FWDI_public all -- eno4 * 0.0.0.0/0 0.0.0.0/0 [goto] 0 0 FWDI_internal all -- eno1 * 0.0.0.0/0 0.0.0.0/0 [goto] 0 0 FWDI_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto] Chain FORWARD_IN_ZONES_SOURCE (1 references) pkts bytes target prot opt in out source destination 0 0 FWDI_drop all -- * * 3.3.3.0/24 0.0.0.0/0 0 0 FWDI_drop all -- * * 3.3.3.0/24 0.0.0.0/0 Chain FORWARD_OUT_ZONES (1 references) pkts bytes target prot opt in out source destination 0 0 FWDO_public all -- * eno4 0.0.0.0/0 0.0.0.0/0 [goto] 0 0 FWDO_internal all -- * eno1 0.0.0.0/0 0.0.0.0/0 [goto] 0 0 FWDO_public all -- * + 0.0.0.0/0 0.0.0.0/0 [goto] Chain FORWARD_OUT_ZONES_SOURCE (1 references) pkts bytes target prot opt in out source destination 0 0 FWDO_drop all -- * * 0.0.0.0/0 3.3.3.0/24 0 0 FWDO_drop all -- * * 0.0.0.0/0 3.3.3.0/24 Chain FORWARD_direct (1 references) pkts bytes target prot opt in out source destination Chain FWDI_drop (2 references) pkts bytes target prot opt in out source destination 0 0 FWDI_drop_log all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 FWDI_drop_deny all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 FWDI_drop_allow all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FWDI_drop_allow (1 references) pkts bytes target prot opt in out source destination Chain FWDI_drop_deny (1 references) pkts bytes target prot opt in out source destination Chain FWDI_drop_log (1 references) pkts bytes target prot opt in out source destination Chain FWDI_internal (1 references) pkts bytes target prot opt in out source destination 0 0 FWDI_internal_log all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 FWDI_internal_deny all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 FWDI_internal_allow all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 Chain FWDI_internal_allow (1 references) pkts bytes target prot opt in out source destination Chain FWDI_internal_deny (1 references) pkts bytes target prot opt in out source destination Chain FWDI_internal_log (1 references) pkts bytes target prot opt in out source destination Chain FWDI_public (2 references) pkts bytes target prot opt in out source destination 0 0 FWDI_public_log all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 FWDI_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 FWDI_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 Chain FWDI_public_allow (1 references) pkts bytes target prot opt in out source destination Chain FWDI_public_deny (1 references) pkts bytes target prot opt in out source destination Chain FWDI_public_log (1 references) pkts bytes target prot opt in out source destination Chain FWDO_drop (2 references) pkts bytes target prot opt in out source destination 0 0 FWDO_drop_log all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 FWDO_drop_deny all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 FWDO_drop_allow all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FWDO_drop_allow (1 references) pkts bytes target prot opt in out source destination Chain FWDO_drop_deny (1 references) pkts bytes target prot opt in out source destination Chain FWDO_drop_log (1 references) pkts bytes target prot opt in out source destination Chain FWDO_internal (1 references) pkts bytes target prot opt in out source destination 0 0 FWDO_internal_log all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 FWDO_internal_deny all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 FWDO_internal_allow all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FWDO_internal_allow (1 references) pkts bytes target prot opt in out source destination Chain FWDO_internal_deny (1 references) pkts bytes target prot opt in out source destination Chain FWDO_internal_log (1 references) pkts bytes target prot opt in out source destination Chain FWDO_public (2 references) pkts bytes target prot opt in out source destination 0 0 FWDO_public_log all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 FWDO_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 FWDO_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FWDO_public_allow (1 references) pkts bytes target prot opt in out source destination Chain FWDO_public_deny (1 references) pkts bytes target prot opt in out source destination Chain FWDO_public_log (1 references) pkts bytes target prot opt in out source destination Chain INPUT_ZONES (1 references) pkts bytes target prot opt in out source destination 272K 32M IN_public all -- eno4 * 0.0.0.0/0 0.0.0.0/0 [goto] 42964 2736K IN_internal all -- eno1 * 0.0.0.0/0 0.0.0.0/0 [goto] 0 0 IN_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto] Chain INPUT_ZONES_SOURCE (1 references) pkts bytes target prot opt in out source destination 0 0 IN_drop all -- * * 3.3.3.0/24 0.0.0.0/0 0 0 IN_drop all -- * * 3.3.3.0/24 0.0.0.0/0 Chain INPUT_direct (1 references) pkts bytes target prot opt in out source destination Chain IN_drop (2 references) pkts bytes target prot opt in out source destination 0 0 IN_drop_log all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 IN_drop_deny all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 IN_drop_allow all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain IN_drop_allow (1 references) pkts bytes target prot opt in out source destination Chain IN_drop_deny (1 references) pkts bytes target prot opt in out source destination Chain IN_drop_log (1 references) pkts bytes target prot opt in out source destination Chain IN_internal (1 references) pkts bytes target prot opt in out source destination 42964 2736K IN_internal_log all -- * * 0.0.0.0/0 0.0.0.0/0 42964 2736K IN_internal_deny all -- * * 0.0.0.0/0 0.0.0.0/0 42964 2736K IN_internal_allow all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 Chain IN_internal_allow (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW 201 15678 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137 ctstate NEW 627 144K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138 ctstate NEW 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW 969 50388 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate NEW 39727 2400K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:60024 ctstate NEW 7 4458 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:5080 ctstate NEW 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 ctstate NEW 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5060 ctstate NEW 1252 90788 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:161 ctstate NEW 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5080 ctstate NEW 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 ctstate NEW 140 28000 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:16384:32768 ctstate NEW Chain IN_internal_deny (1 references) pkts bytes target prot opt in out source destination Chain IN_internal_log (1 references) pkts bytes target prot opt in out source destination Chain IN_public (2 references) pkts bytes target prot opt in out source destination 272K 32M IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0 272K 32M IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0 272K 32M IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0 5 196 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 Chain IN_public_allow (1 references) pkts bytes target prot opt in out source destination 1184 70012 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW 388 271K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 ctstate NEW 268K 31M ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:16384:32768 ctstate NEW Chain IN_public_deny (1 references) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 3.3.3.0/24 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT all -- * * 3.3.3.0/24 0.0.0.0/0 reject-with icmp-port-unreachable Chain IN_public_log (1 references) pkts bytes target prot opt in out source destination Chain OUTPUT_direct (1 references) pkts bytes target prot opt in out source destinationUPDATE In the following ladder diagram (sngrep) you can see that the Option Ping (5060) is answered by my application so the firewall rule did not affect.
UPDATE 2 The error occurs again, and now I reload the filter rule and the IP isn't apply to the drop list. I figure out that the issue occurs if the Interface has traffic load. After shutdown the server and restart the rule is applied. But I need a way to apply a drop rule also if the server has load.
-
Sara about 6 yearsIn the centos documentation I read to use drop zone is most common way for blocking IP's but I try your way to and it also don't work.
-
Nasir Riley about 6 yearsZone is referring to the zone where you want the rule to apply. It doesn't mean that you use the code
zone=drop. You also don't need to do anything withiptablesas you already havefirewalldrunning. As you have tried my command, what do you get fromfirewall-cmd --list-rich-rules? Have you restarted thefirewalldservice? -
Sara about 6 yearsfirewall-cmd --list-rich-rules rule family="ipv4" source address="3.3.3.0/24" reject
-
Sara about 6 yearsI read about both ways, that one with drop rule and your way but both do not work
-
Sara about 6 yearsfirewall-cmd --get-zone-of-interface=eno4 public
-
Sara about 6 yearsthe output was public
-
Nasir Riley about 6 yearsCan you post an output in your question for whatever you are using to see incoming traffic so that we can verify that traffic is coming in from that source?
-
Sara about 6 yearsI use sngrep to monitor voiptraffic, from that IP I get a Option ping and my application answer with okay. so the traffic comes through. But I post a screenshot too.
-
Sara about 6 yearsIn the documentation I can read that I do not need to apply a interface to that drop zone. Because the drop zone is applied to every interface that source IP comes in.
-
Nasir Riley about 6 yearsThat graphic isn't very informative. It doesn't show where the traffic is coming from so how are you determining that it comes from the IP address that you are trying to block?
-
Danila Vershinin almost 5 years
You are trying something to do with the zone "drop" but there is no interface in that zone- which is fine. A zone does not have to be bound to an interface in order to apply to some connection. Zones can be bound to source IP addresses only, like thedropzone exactly.
