On Thu, May 7, 2020 at 12:12 AM Sam Varshavchik <mrsam@xxxxxxxxxxxxxxx> wrote:
> Is there a way with firewall-cmd to /really/ block an IP address, new or
> established connections, or is manually adding an iptables rule my only
> option?
You can bypass connection tracking for dropping existing connections
by adding a rule in the *raw* or *mangle* table when using the
iptables backend. The fastest way I know of, is to add a direct rule:
If 1.2.3.4 is the offending IP, something like:
firewall-cmd --permanent --direct --add-rule ipv4 raw PREROUTING 0
-s 1.2.3.4 -j DROP
firewall-cmd --reload
should work fine. After that
iptables -n -t raw -L
should list the IP with the DROP target, REJECT doesn't work here.
A more efficient way would be to use ipsets:
firewall-cmd --permanent --zone=drop --add-source=ipset:blacklist
firewall-cmd --permanent --ipset=blacklist --add-entry=1.2.3.4
firewall-cmd --permanent --ipset=blacklist --add-entry=4.3.2.1
This should terminate any existing connection and prevent new ones.
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
