A. Under iptables I presently use:
-A INPUT -i eth0 -p tcp --syn -m connlimit --connlimit-above 10 --dport 22 -j LOG --log-prefix "IPTables-CONNLIMIT 22 " --log-level 4
-A INPUT -i eth0 -p tcp --syn -m connlimit --connlimit-above 10 --dport 22 -j REJECT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
which had the effect of blocking some rapid fire dictionary probing, and leaving a message I could use to add a manual drop rule as well, when the next day's logwatch report arrived
sshd: Authentication Failures: root (117.21.191.108): 2733 Time(s) root (42.7.27.164): 2430 Time(s) root (116.31.116.28): 979 Time(s)
B. I would add something like this:
iptables:-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 117.21.191.0/24 -j DROP
My question is:
What are the CLI analogs to bring current steps A and B above ?
I see two possible answers for the: -i eth0
[root@router ~]# firewall-cmd --get-zones block dmz drop external home internal public trusted work
being external and public
looking further it looks as though the correct one is: public as that contains the external interfacce
[root@router ~]# firewall-cmd --zone=public --list-all public target: default icmp-block-inversion: no interfaces: sources: services: dhcpv6-client squid ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
[root@router ~]# firewall-cmd --zone=external --list-all external (active) target: default icmp-block-inversion: no interfaces: enp0s25 sources: services: ssh ports: protocols: masquerade: yes forward-ports: source-ports: icmp-blocks: rich rules:
[root@router ~]#
But I do not see a writeup as to rate limiting or blocking a particular CIDR and service (reading: https://fedoraproject.org/wiki/Firewalld?rd=FirewallD )
Thanks
-- Russ herrold
On Mon, Sep 24, 2018 at 12:50:23PM -0400, R P Herrold wrote:
A. Under iptables I presently use:
-A INPUT -i eth0 -p tcp --syn -m connlimit --connlimit-above 10 --dport 22 -j LOG --log-prefix "IPTables-CONNLIMIT 22 " --log-level 4
-A INPUT -i eth0 -p tcp --syn -m connlimit --connlimit-above 10 --dport 22 -j REJECT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
which had the effect of blocking some rapid fire dictionary probing, and leaving a message I could use to add a manual drop rule as well, when the next day's logwatch report arrived
sshd: Authentication Failures: root (117.21.191.108): 2733 Time(s) root (42.7.27.164): 2430 Time(s) root (116.31.116.28): 979 Time(s)
B. I would add something like this:
iptables:-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 117.21.191.0/24 -j DROP
My question is:
What are the CLI analogs to bring current steps A and B above ?
firewalld does not have an exact abstraction for connlimit. What it does have is "limit" via rich rules - which limits connection attempts per time period. So you can do something like:
# firewall-cmd --add-rich-rule='rule service name=ssh accept limit value="4/m"'
It's different than above, because it logs successful attempts too, but you can log all NEW connections with a rate limit.
# firewall-cmd --add-rich-rule='rule service name=ssh log prefix="SSH login attempt: " level="notice" limit value="4/m"'
Alternatively you can use the global "--set-log-denied" to log denied requests, but that can be very chatty.
I see two possible answers for the: -i eth0
This will be handled by adding the "eth0" interface to a zone.
[root@router ~]# firewall-cmd --get-zones block dmz drop external home internal public trusted work
being external and public
looking further it looks as though the correct one is: public as that contains the external interfacce
The names are completely symbolic. Once you start changing them they're whatever you want them to be. "external" by default enables masquerading.
[root@router ~]# firewall-cmd --zone=public --list-all public target: default icmp-block-inversion: no interfaces: sources: services: dhcpv6-client squid ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
[root@router ~]# firewall-cmd --zone=external --list-all external (active) target: default icmp-block-inversion: no interfaces: enp0s25 sources: services: ssh ports: protocols: masquerade: yes forward-ports: source-ports: icmp-blocks: rich rules:
[root@router ~]#
But I do not see a writeup as to rate limiting or blocking a particular CIDR and service (reading: https://fedoraproject.org/wiki/Firewalld?rd=FirewallD )
Maybe the man page for rich rules is more useful. https://firewalld.org/documentation/man-pages/firewalld.richlanguage.html
firewalld-users@lists.fedorahosted.org