Comments 12 Posted In Red Hat Enterprise Linux Tags configuration Blocking IP addresses using Firewalld rhel 7.0 Latest response 2018-07-20T19:07:47+00:00 Is there a way to block a specific ip address in firewalld ? I know it can be done in iptables, however I would like to use the firewalld service. 2U Started 2015-02-05T19:38:00+00:00 by 2URedRiver Active Contributor 265 points Log in to join the conversation Responses Sort By Oldest Sort By Newest Guru 6863 points 5 February 2015 7:47 PM email@example.com Community Leader I'm getting up to speed myself, so - please keep that in mind ;-) From what I can gather, this activity is considered a "rich-rule" http://fedoraproject.org/wiki/Features/FirewalldRichLanguage#Handle_rich_rules_with_the_command_line_client firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.0.11' reject" Check here (Under "Actions"): http://fedoraproject.org/wiki/Features/FirewalldRichLanguage 2U Active Contributor 265 points 5 February 2015 9:17 PM 2URedRiver Thanks very much it seems simple enough. Guy SW Red Hat Guru 4042 points 6 February 2015 12:17 PM Stephen Wadeley Hello, see also Configuring Complex Firewall Rules with the "Rich Language" Syntax in the Red Hat Enterprise Linux Security Guide. Red Hat Active Contributor 232 points 4 May 2017 8:26 PM Albert Wong Just to add a side question.... Can you add the ip or range to the "blocked" or "drop" firewalld zone? No because interfaces are not active on those zones. Active Contributor 252 points 26 May 2017 1:13 PM Chris Scarff Great info, thanks for sharing! VR Newbie 7 points 28 September 2017 8:48 PM V R I just added the following to the drop zone and it worked without any issue: firewall-cmd --zone=drop --add-source=x.x.x.x/xx replace x.x.x.x with the IP and you can add the subnet under /xx NG Newbie 15 points 17 July 2018 1:52 PM Nandkishor Gupta Could you please let me know, How we can allow specific IP address's for SSH and Mysql? No one can access SSH and Mysql except allowed IP. Active Contributor 195 points 18 July 2018 9:14 AM Jonathan Groves you could also use /etc/hosts.allow to only allow access via a certain IP list/hostnames eq # System Administration sshd: 10.10. 10.12. 10.1.61. 10.25. 10.1.10.19 NG Newbie 15 points 19 July 2018 11:00 AM Nandkishor Gupta Thank's Jonathan, for a quick reply. I have done this using IPTABLES. I have also used hosts. allow and hosts.deny for the same but hosts. allow/hosts. deny doesn't restrict MySQL traffic. As we aware Firewalld service has been introduced and I want to use Firewalld service as IPTABLES does. I also want to know for the knowledge purpose. it would be greatly appreciated if you could provide an answer for the same. Active Contributor 195 points 19 July 2018 12:18 PM Jonathan Groves you should be able to add the mysql service(port 3306) to the firewall then allow only certain ip addresses access # firewall-cmd --zone=public --add-service=mysql --permanent # firewall-cmd --add-rich-rule 'rule family="ipv4" source address="your_IP_or_IP_Range" service name="mysql" accept' --permanent NG Newbie 15 points 19 July 2018 1:39 PM Nandkishor Gupta firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.1.26" service name="ssh" accept' --permanent [root@localhost ~]# firewall-cmd --zone=public --list-all public (active) target: default icmp-block-inversion: no interfaces: eno16777736 sources: services: dhcpv6-client ssh mysql ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv4" source address="192.168.1.26" service name="ssh" accept I tried the same rule for SSH but it's not working. I am able to access SSH from other IPs. I think for SSH I need to use hosts.allow. If you have any idea to allow specific IP address for SSH in firewalld. Please share. Thank you so much for paying attention towards this. Red Hat Expert 1189 points 20 July 2018 7:07 PM Marc Milgram Nandkishor, Looking at the output of your command, ssh is in both the services: section, and the rich rules section. I think the services section will allow ssh to be accepted everywhere the public zone applies. If you want ssh to only be accepted from 192.168.1.26, remove ssh from the services: firewall-cmd --remove-service=ssh --permanent Regards, Marc Close Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.