I don't see anything wrong. The generated iptables rules look correct.
But I couldn't verify the interfaces/counters because -v wasn't used.
Can you use the -v option to iptables to show counters?
# iptables -v -n -L filter
# iptables -v -n -L nat
# iptables -v -n -L mangle
# iptables -v -n -L raw
On Tue, Dec 28, 2021 at 01:44:20PM -0600, summersnow wrote:
Hi Eric,
Thanks! I tried the following command:
# firewall-cmd --permanent --new-policy myOutputPolicy
# firewall-cmd --permanent --policy myOutputPolicy --add-ingress-zone HOST
# firewall-cmd --permanent --policy myOutputPolicy --add-egress-zone public
# firewall-cmd --permanent --add-rich-rule='rule family="ipv4" destination
address="4.2.2.1" reject'
# firewall-cmd --permanent --policy myOutputPolicy --add-rich-rule='rule
family="ipv4" destination address="4.2.2.1" reject'
but I can still send DNS query to 4.2.2.1 . Running firewall-cmd --list-all
shows:
public (active)
target: default
icmp-block-inversion: no
interfaces: wlp4s0
sources:
services: dhcpv6-client
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" destination address="4.2.2.1" reject
and running firewall-cmd --list-all-policies shows:
allow-host-ipv6 (active)
priority: -15000
target: CONTINUE
ingress-zones: ANY
egress-zones: HOST
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv6" icmp-type name="neighbour-advertisement"
accept
rule family="ipv6" icmp-type name="neighbour-solicitation"
accept
rule family="ipv6" icmp-type name="router-advertisement" accept
rule family="ipv6" icmp-type name="redirect" accept
myOutputPolicy (active)
priority: -1
target: CONTINUE
ingress-zones: HOST
egress-zones: public
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" destination address="4.2.2.1" reject
Did I do something wrong? Do I need to change the target of myOutputPolicy?
I used iptables as the backend of firewalld, and the output of iptables -L
-n is in
https://paste.opensuse.org/80095661
Thanks
On 12/28/21 12:49, Eric Garver wrote:
> On Fri, Dec 24, 2021 at 04:28:23AM -0600, Snow Summer wrote:
> > Hello,
> >
> > I am trying to block all kinds (TCP/UDP/ICMP and so on) of network traffic
> > from/to a specific IP address, and I have used the IP 4.2.2.1 as a
> > test. My firewall-cmd
> > --list-all shows:
> >
> > root@summersnow # firewall-cmd --list-all
> > public (active)
> > target: default
> > icmp-block-inversion: no
> > interfaces: wlp4s0
> > sources:
> > services: dhcpv6-client
> > ports:
> > protocols:
> > forward: yes
> > masquerade: no
> > forward-ports:
> > source-ports:
> > icmp-blocks:
> > rich rules:
> > rule family="ipv4" destination address="4.2.2.1" drop
> > rule family="ipv4" source address="4.2.2.1" drop
> > rule family="ipv4" source address="4.2.2.1" reject
> > rule family="ipv4" destination address="4.2.2.1" reject
> >
> > However, I can confirm that I can still receive DNS responses from it by:
> >
> > root@summersnow # nslookup
twitter.com 4.2.2.1
> > Server: 4.2.2.1
> > Address: 4.2.2.1#53
> >
> > Non-authoritative answer:
> > Name:
twitter.com
> > Address: 104.244.42.65
> > Name:
twitter.com
> > Address: 104.244.42.129
> >
> > The rich rules above seem not working properly. Any ideas?
> Hi! It looks like you're trying to do outbound/OUTPUT filtering. Zones
> filter traffic received from the zone and destined to the host
> (inbound/INPUT).
>
> firewalld supports outbound filtering via policies.
>
> You can learn about them here:
> -
https://firewalld.org/2020/09/policy-objects-introduction
> -
https://firewalld.org/2020/09/policy-objects-filtering-container-and-vm-t...
>
>
> SOLUTION:
>
> For your use case you probably want something like the following:
>
> # firewall-cmd --permanent --new-policy myOutputPolicy
> # firewall-cmd --permanent --policy myOutputPolicy --add-ingress-zone HOST
> # firewall-cmd --permanent --policy myOutputPolicy --add-egress-zone public
> # firewall-cmd --permanent --add-rich-rule='rule family="ipv4"
destination address="4.2.2.1" reject'
>
> This will apply your rich rule to traffic originating from the node
> running firewalld and destined to the public zone.
>
>
> Notice I omitted these two rules:
>
> > rule family="ipv4" source address="4.2.2.1" drop
> > rule family="ipv4" source address="4.2.2.1" reject
> That's because your public zone will filter these out by default. There
> is no need to explicitly reject them.
>
> I also omitted:
>
> > rule family="ipv4" destination address="4.2.2.1" drop
> because it's already covered by the similar "reject" rule. You should
> prefer "reject" over "drop" so an ICMP packet is returned and
the
> connection attempt fails gracefully (and quickly).
>