Comments 14 Posted In Red Hat Enterprise Linux Tags configuration Blocking IP addresses using Firewalld rhel 7.0 Latest response 2021-10-12T22:55:03+00:00 Is there a way to block a specific ip address in firewalld ? I know it can be done in iptables, however I would like to use the firewalld service. 2U Started 2015-02-05T19:38:00+00:00 by 2URedRiver Active Contributor 265 points Log in to join the conversation Responses Sort By Oldest Sort By Newest Guru 6888 points 5 February 2015 7:47 PM firstname.lastname@example.org Community Leader I'm getting up to speed myself, so - please keep that in mind ;-) From what I can gather, this activity is considered a "rich-rule" http://fedoraproject.org/wiki/Features/FirewalldRichLanguage#Handle_rich_rules_with_the_command_line_client firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.0.11' reject" Check here (Under "Actions"): http://fedoraproject.org/wiki/Features/FirewalldRichLanguage 2U Active Contributor 265 points 5 February 2015 9:17 PM 2URedRiver Thanks very much it seems simple enough. Guy SW Red Hat Guru 4529 points 6 February 2015 12:17 PM Stephen Wadeley Hello, see also Configuring Complex Firewall Rules with the "Rich Language" Syntax in the Red Hat Enterprise Linux Security Guide. Red Hat Active Contributor 247 points 4 May 2017 8:26 PM Albert Wong Just to add a side question.... Can you add the ip or range to the "blocked" or "drop" firewalld zone? No because interfaces are not active on those zones. Active Contributor 267 points 26 May 2017 1:13 PM Chris Scarff Great info, thanks for sharing! VR Newbie 7 points 28 September 2017 8:48 PM V R I just added the following to the drop zone and it worked without any issue: firewall-cmd --zone=drop --add-source=x.x.x.x/xx replace x.x.x.x with the IP and you can add the subnet under /xx NG Newbie 17 points 17 July 2018 1:52 PM Nandkishor Gupta Could you please let me know, How we can allow specific IP address's for SSH and Mysql? No one can access SSH and Mysql except allowed IP. Active Contributor 285 points 18 July 2018 9:14 AM Jonathan Groves you could also use /etc/hosts.allow to only allow access via a certain IP list/hostnames eq # System Administration sshd: 10.10. 10.12. 10.1.61. 10.25. 10.1.10.19 NG Newbie 17 points 19 July 2018 11:00 AM Nandkishor Gupta Thank's Jonathan, for a quick reply. I have done this using IPTABLES. I have also used hosts. allow and hosts.deny for the same but hosts. allow/hosts. deny doesn't restrict MySQL traffic. As we aware Firewalld service has been introduced and I want to use Firewalld service as IPTABLES does. I also want to know for the knowledge purpose. it would be greatly appreciated if you could provide an answer for the same. Active Contributor 285 points 19 July 2018 12:18 PM Jonathan Groves you should be able to add the mysql service(port 3306) to the firewall then allow only certain ip addresses access # firewall-cmd --zone=public --add-service=mysql --permanent # firewall-cmd --add-rich-rule 'rule family="ipv4" source address="your_IP_or_IP_Range" service name="mysql" accept' --permanent NG Newbie 17 points 19 July 2018 1:39 PM Nandkishor Gupta firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.1.26" service name="ssh" accept' --permanent [root@localhost ~]# firewall-cmd --zone=public --list-all public (active) target: default icmp-block-inversion: no interfaces: eno16777736 sources: services: dhcpv6-client ssh mysql ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv4" source address="192.168.1.26" service name="ssh" accept I tried the same rule for SSH but it's not working. I am able to access SSH from other IPs. I think for SSH I need to use hosts.allow. If you have any idea to allow specific IP address for SSH in firewalld. Please share. Thank you so much for paying attention towards this. Red Hat Guru 1519 points 20 July 2018 7:07 PM Marc Milgram Nandkishor, Looking at the output of your command, ssh is in both the services: section, and the rich rules section. I think the services section will allow ssh to be accepted everywhere the public zone applies. If you want ssh to only be accepted from 192.168.1.26, remove ssh from the services: firewall-cmd --remove-service=ssh --permanent Regards, Marc MH Community Member 22 points 12 October 2021 6:09 PM Michael Hughes I find that adding an IP to the drop zone works just fine, despite the numerous warnings above stating otherwise. Try it for yourself: firewall-cmd --zone=drop --add-source=10.x.x.x Perhaps in more complex situations with multiple interfaces it is not recommended? What is still elusive to me is how to block an existing connection. I set up a ping from one server to another. After adding the above rule (or a rich rule - it behaves the same), the pings continue to be allowed, presumably because they are an existing connection. See this for more info: https://superuser.com/questions/1571582/how-to-get-an-ip-address-blocked-with-firewall-cmd-with-immediate-effect So the only way to stop an existing TCP session would seem to have the originator pause the 'attack' so firewalld can block it, or reboot your server? Red Hat Guru 10904 points 12 October 2021 10:55 PM Jamie Bainbridge What is still elusive to me is how to block an existing connection. The existing connection is in conntrack, so matches the RELATED,ESTABLISHED rule rather than the later port or IP-based allow/deny rules. One way is to find the connection in conntrack and delete it: Traffic is still allowed in the firewall after removing the port allow rule Another way is to match the connection as a direct rule somewhere very early in netfilter such as raw PREROUTING and drop it there. Once the connection times out of conntrack then you can remove that rule. Both of these will still leave the local socket open as far as the application and kernel are concerned. If you need to end a TCP session like that, you can add a direct rule to match the connection in filter OUTPUT and jump to the -j REJECT --reject-with tcp-reset which will cause the firewall to send a TCP Reset back to the local application, terminating the local session.