Blocking IP Addresses with firewalld

Overview

firewalld is a dynamic firewall management tool that provides a flexible and powerful interface for managing network traffic on Linux systems. It serves as a frontend for the netfilter framework and uses iptables as its backend. One of the most common security tasks is blocking specific IP addresses to prevent unauthorized access or mitigate attacks.

Understanding firewalld Architecture

Core Components

firewalld operates on several key concepts that work together to provide comprehensive network security:

Zones: Predefined sets of rules that define the trust level of network connections. Each zone has specific rules about what traffic is allowed or denied.

Services: Predefined configurations for common network services like SSH, HTTP, HTTPS, etc.

Rich Rules: Advanced rule configurations that provide fine-grained control over network traffic.

Direct Rules: Low-level iptables rules that bypass firewalld's zone-based system.

Zone Types

| Zone | Description | Default Behavior | |------|-------------|------------------| | drop | Lowest trust level | Drops all incoming packets without reply | | block | Low trust level | Rejects all incoming connections with icmp-host-prohibited | | public | Default zone | Accepts only selected incoming connections | | external | For external networks | Masquerading enabled, limited incoming connections | | dmz | Demilitarized zone | Limited incoming connections for public services | | work | Work environment | More services accepted than public | | home | Home environment | Most services accepted | | internal | Internal networks | Most services accepted | | trusted | Highest trust level | All network connections accepted |

Installation and Basic Setup

Installing firewalld

On Red Hat-based systems: `bash sudo yum install firewalld `

On Debian-based systems: `bash sudo apt-get install firewalld `

Starting and Enabling firewalld

`bash

Start the firewalld service

Enable firewalld to start at boot

Check firewalld status

Basic Configuration Check

`bash

Check if firewalld is running

List all zones

Get default zone

List active zones

Methods for Blocking IP Addresses

Method 1: Using Rich Rules

Rich rules provide the most flexible approach for blocking IP addresses with detailed logging and specific conditions.

#### Blocking a Single IP Address

`bash

Block a specific IP address

Block with permanent configuration

Reload firewall to apply permanent changes

#### Blocking IP Address with Logging

`bash

Block IP with logging

Block IP with rate-limited logging

#### Blocking IP Ranges (CIDR Notation)

`bash

Block an entire subnet

Block a larger network range

Method 2: Using Drop Zone

The drop zone automatically drops all incoming packets from assigned sources.

`bash

Add IP to drop zone

Make it permanent

Add IP range to drop zone

Reload configuration

Method 3: Using Block Zone

The block zone rejects connections and sends an ICMP reply.

`bash

Add IP to block zone

Make it permanent

Reload configuration

Method 4: Using Direct Rules

Direct rules provide low-level iptables access for complex scenarios.

`bash

Block IP using direct rule

Block IP range using direct rule

Reload configuration

Advanced Blocking Techniques

Time-Based Blocking

`bash

Block IP during specific hours (9 AM to 5 PM)

Port-Specific Blocking

`bash

Block IP from accessing SSH (port 22)

Block IP from accessing HTTP and HTTPS

Protocol-Specific Blocking

`bash

Block all TCP traffic from IP

Block all UDP traffic from IP

Managing Blocked IP Addresses

Listing Blocked IPs

`bash

List all rich rules

List sources in drop zone

List sources in block zone

List all direct rules

Removing Blocked IPs

`bash

Remove IP from rich rule

Remove IP from drop zone

Remove IP from block zone

Remove direct rule

Reload configuration

Command Reference Table

| Command | Description | Example | |---------|-------------|---------| | --add-rich-rule | Add a rich rule | firewall-cmd --add-rich-rule="rule family='ipv4' source address='1.2.3.4' reject" | | --remove-rich-rule | Remove a rich rule | firewall-cmd --remove-rich-rule="rule family='ipv4' source address='1.2.3.4' reject" | | --list-rich-rules | List all rich rules | firewall-cmd --list-rich-rules | | --add-source | Add IP to zone | firewall-cmd --zone=drop --add-source=1.2.3.4 | | --remove-source | Remove IP from zone | firewall-cmd --zone=drop --remove-source=1.2.3.4 | | --list-sources | List sources in zone | firewall-cmd --zone=drop --list-sources | | --permanent | Make change permanent | firewall-cmd --permanent --add-source=1.2.3.4 | | --reload | Reload firewall configuration | firewall-cmd --reload | | --direct --add-rule | Add direct iptables rule | firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -s 1.2.3.4 -j DROP |

Bulk IP Blocking

Using a Script for Multiple IPs

Create a script to block multiple IP addresses:

`bash #!/bin/bash

bulk_block.sh

Array of IP addresses to block

Block each IP using rich rules

Reload firewall

Blocking from File

`bash #!/bin/bash

block_from_file.sh

Read IPs from file (one per line)

sudo firewall-cmd --reload `

Logging and Monitoring

Configuring Logging

`bash

Enable logging for dropped packets

View current log setting

Set specific log levels

Monitoring Blocked Traffic

`bash

View firewall logs

View kernel logs for dropped packets

Check iptables logs

Performance Considerations

Optimization Strategies

| Strategy | Description | Use Case | |----------|-------------|----------| | Use zones over rich rules | Zones are processed faster | Blocking many IPs | | Limit logging | Excessive logging impacts performance | High-traffic environments | | Use CIDR notation | Block ranges instead of individual IPs | Blocking subnets | | Regular cleanup | Remove outdated rules | Maintenance |

Resource Usage

`bash

Check number of active rules

Monitor firewalld memory usage

Check rule processing time

Troubleshooting

Common Issues and Solutions

| Issue | Cause | Solution | |-------|-------|----------| | Rules not applying | Missing --reload | Run firewall-cmd --reload | | Can't access service | Blocked legitimate traffic | Check and adjust rules | | High CPU usage | Too many rules/logging | Optimize rules, reduce logging | | Rules disappear after reboot | Not made permanent | Use --permanent flag |

Debugging Commands

`bash

Check firewalld configuration

Verify iptables rules

Check for syntax errors

View detailed zone information

Test rule matching

Security Best Practices

Rule Management

1. Document Changes: Keep records of all blocked IPs and reasons 2. Regular Reviews: Periodically review and clean up rules 3. Testing: Test rules in non-production environments first 4. Backup Configuration: Regular backups of firewall configuration 5. Monitoring: Implement monitoring for blocked traffic patterns

Configuration Backup

`bash

Backup current configuration

Export configuration

Save rich rules

IPv6 Support

Blocking IPv6 Addresses

`bash

Block IPv6 address using rich rule

Block IPv6 range

Add IPv6 to drop zone

Integration with Fail2Ban

firewalld can work alongside fail2ban for automated IP blocking based on log analysis.

Fail2Ban Configuration

`bash

Install fail2ban

Configure fail2ban to use firewalld

Edit /etc/fail2ban/jail.local

This comprehensive guide provides the foundation for effectively blocking IP addresses using firewalld, from basic single IP blocks to advanced automated solutions with logging and monitoring capabilities.