On Mon, Sep 24, 2018 at 12:50:23PM -0400, R P Herrold wrote:
A. Under iptables I presently use:
-A INPUT -i eth0 -p tcp --syn -m connlimit --connlimit-above 10
--dport 22 -j LOG --log-prefix "IPTables-CONNLIMIT 22 "
--log-level 4
-A INPUT -i eth0 -p tcp --syn -m connlimit --connlimit-above 10
--dport 22 -j REJECT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
which had the effect of blocking some rapid fire dictionary
probing, and leaving a message I could use to add a manual
drop rule as well, when the next day's logwatch report arrived
sshd:
Authentication Failures:
root (117.21.191.108): 2733 Time(s)
root (42.7.27.164): 2430 Time(s)
root (116.31.116.28): 979 Time(s)
B. I would add something like this:
iptables:-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p
tcp -s 117.21.191.0/24 -j DROP
My question is:
What are the CLI analogs to bring current steps A and B above ?
firewalld does not have an exact abstraction for connlimit. What it does
have is "limit" via rich rules - which limits connection attempts per
time period. So you can do something like:
# firewall-cmd --add-rich-rule='rule service name=ssh accept limit
value="4/m"'
It's different than above, because it logs successful attempts too, but
you can log all NEW connections with a rate limit.
# firewall-cmd --add-rich-rule='rule service name=ssh log prefix="SSH login
attempt: " level="notice" limit value="4/m"'
Alternatively you can use the global "--set-log-denied" to log denied
requests, but that can be very chatty.
I see two possible answers for the:
-i eth0
This will be handled by adding the "eth0" interface to a zone.
[root@router ~]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work
being external and public
looking further it looks as though the correct one is: public
as that contains the external interfacce
The names are completely symbolic. Once you start changing them they're
whatever you want them to be. "external" by default enables
masquerading.
[root@router ~]# firewall-cmd --zone=public --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client squid ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@router ~]# firewall-cmd --zone=external --list-all
external (active)
target: default
icmp-block-inversion: no
interfaces: enp0s25
sources:
services: ssh
ports:
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@router ~]#
But I do not see a writeup as to rate limiting or blocking a
particular CIDR and service (reading:
https://fedoraproject.org/wiki/Firewalld?rd=FirewallD
)
Maybe the man page for rich rules is more useful.
https://firewalld.org/documentation/man-pages/firewalld.richlanguage.html