Firewalld in Red Hat 7.4

Latest response

In Red Hat 6 we were blocking access to a particular file "somefile.php" within iptables.

On Red Hat 7, we would like to continue to block any and all accesses to that filename on the system firewall. Firewalld.

We have not found a method by which to recreate blocking that file via firewalld.

Any help appreciated.

JR
Log in to join the conversation

Responses

Jamie Bainbridge's picture Red Hat Guru 7257 points
30 August 2017 11:26 PM

You can use iptables rules with firewalld via the Direct Rules syntax.

See man firewall-cmd section called "Direct Options".

JR Community Member 40 points
31 August 2017 7:24 PM

So we could we use our existing iptables rule via "firewall-cmd --permanent -- direct --get-passthrough ipv4 not-sure-how-toreference-exisiting-rule"?

Jamie Bainbridge's picture Red Hat Guru 7257 points
31 August 2017 10:54 PM

Not quite but you're on the right track.

To add a rule you use --add-rule:

# firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 10 -p tcp --dport 22 -j ACCEPT
success

To see current rules use --get-all-rules:

# firewall-cmd --direct --get-all-rules
ipv4 filter INPUT_direct 10 -p tcp --dport 22 -j ACCEPT

To remove a rule use --remove-rule:

# firewall-cmd --direct --remove-rule ipv4 filter INPUT_direct 10 -p tcp --dport 22 -j ACCEPT
success

If you have multiple rules, then change the prio to order them. I have used 10 here.

The above commands only affect the current state of the firewall. Run again with --permanent to make the changes persist in firewalld config.

JR Community Member 40 points
6 September 2017 9:42 PM

So your first example above implements the iptables rule "ipv4 filter INPUT_direct 10 -p tcp --dport 22 -j ACCEPT"

I have done the block below in iptables on Red Hat 6, but would like to implement on Red Hat 7....

https://blog.nintechnet.com/blocking-a-wordpress-xml-rpc-attack-with-the-linux-kernel-firewall/

So I would do all the steps in that documents by preceding it with ....

firewall-cmd --direct --add-rule

?

Jamie Bainbridge's picture Red Hat Guru 7257 points
6 September 2017 11:10 PM

Create a new chain and place the rules in the chain. These are all valid syntax though I don't have WordPress setup to test them:

firewall-cmd --direct --add-chain ipv4 filter IN_xmlrpc
firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 10 -p tcp --dport 80 -j IN_xmlrpc
firewall-cmd --direct --add-rule ipv4 filter IN_xmlrpc 10 -p tcp --syn -m recent --set
firewall-cmd --direct --add-rule ipv4 filter IN_xmlrpc 20 -p tcp --tcp-flags PSH,SYN,ACK ACK -m recent --update
firewall-cmd --direct --add-rule ipv4 filter IN_xmlrpc 30 -p tcp --tcp-flags PSH,ACK PSH,ACK -m recent --remove -m string --to 70 --algo bm --string "POST /xmlrpc.php" -j DROP

However, the link you reference seems more like marketing material to me. The post describes a method to block a specific type of DDoS attack so you can get access to your WordPress instance and install the author's company's application firewall product. Unless you just happen to be suffering the exact same type of DDoS attack, which they will have artificially generated, just doing this alone may not provide a great deal of real-world protection for your blog. You would probably have a full time job sitting there writing iptables rules to block real known web application attacks. At small scale perhaps it makes sense to invest in an application-level firewall or even a network firewall appliance which can do this. At large enough scale it probably makes more sense to outsource this to a CDN who do adaptive DDoS protection (Akamai, CloudFlare, Level3, etc) so you don't even need to worry about it.

JR Community Member 40 points
25 September 2017 8:28 PM

Belated thanks

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.