Firewall – IP Blocking

Running your own or wish to run your own Linux/UNIX server? If so, you will definitely need to learn about firewalls.

Block and Unblock an IPv4 IP Address using firewalld

You can block any visitor’s IP address with the firewalld firewall program, with the firewalld program being managed by the firewall-cmd command. See the ‘man’ pages for full details.

First, what is firewalld?

FirewallD is a frontend controller for iptables used to implement persistent network traffic
rules. It provides command line and graphical interfaces and is available in the repositories of most Linux distributions.

Now, let’s block that dreaded unwanted visitor.

So you need to block a host with the address of 192.168.1.200, so it can’t connect to your computer. Well, here is what to do to achieve this.

Tones:# firewall-cmd --add-rich-rule='rule family=ipv4 source address=192.168.1.200 reject' --permanent
success

Now we have to reload the firewalld program configuration for the changes to take effect.

Tones:# firewall-cmd --reload
success

Now you can verify that the rule has been added and it’s active with the following command.

# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources:
  services: http pop3 https
  ports: 
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
        rule family="ipv4" source address="192.168.1.200" reject

We have used a local network IP address here for demo purposes. Replace the IP address 192.168.1.200 with the offending IP address.

How to unblock an address:

Tones: # firewall-cmd --remove-rich-rule='rule family=ipv4 source address=192.168.1.200 reject' --permanent
success

Then reload the changes made to the iptables service for them to become effective.

Tones: # firewall-cmd --reload
success

To block the full range of IP addresses of 192.168.1.x  substitute the source address=192.168.1.200 as shown above with source address=192.168.1.0/24
as shown here.

Tones:# firewall-cmd --add-rich-rule='rule family=ipv4 source address=192.168.1.0/24 reject' --permanent
success

There you go.
Happy blocking.

Tone of tonesworld.

Leave a Reply

Your email address will not be published.Email address is required.