Home / server / Questions / 1140229
Accepted
artfulrobot
Asked: 2023-08-01 15:14:13 +0800 CST

How to create trap with Firewalld

  • 772

I'd like to set up the following logic using firewalld

  1. When a host attempts to access the server from the internet on port 22:
    1. DROP and
    2. add their IP to an ipset called "trap" (with 24 hour timeout)
  2. When a host whose IP is on the "trap" list attempts to connect to any port: DROP.

I've read many doc pages but can't see how to implement 1.2 above.

firewalld

1 Answers

  1. Best Answer

    firewalld supports ipsets and you specify the 24 hour timeout (86400 seconds) when setting up that ipset:

    firewall-cmd --permanent --new-ipset=trap --type=hash:ip --option=timeout=86400
firewall-cmd --reload

    In native net-filter / iptables the logic and ordering of the necessary rules would be:

    # Block all traffic from IP-addresses in the trap ipset 
# (with REJECT to facilitate debugging) 

iptables -I INPUT 1 -m set  --match-set trap src -j REJECT 

# Add all IP-addresses to that connect to TCP port 22 to the trap ipset
# (the --timeout value is only necessary when different from the default for the ipset) 

iptables -I INPUT 2 -p tcp  -m tcp --dport 22  -m set  --add-set trap src --timeout 86400 -j SET 

# Reject access access to TCP port 22 for everybody

iptables -I INPUT 3 -p tcp -m tcp --dport 22 -j REJECT

    Translating that to native firewalld / firewall-cmd rules/structures is bit beyond me at the moment, but adding the rules 1 & 2 as direct rules should be easy enough.

    You should be able to get display entries in the trap list with:

     firewall-cmd --permanent --ipset=trap  --get-entries
    • 2