Home / server / Questions / 751319
Accepted
giorgio79
Asked: 2016-01-24 21:36:49 +0800 CST

How to check if firewalld is blocking an incoming ip address?

  • 772

I have CentOS 7 with firewalld. I installed fail2ban and using the firewallcmd-new action. I am seeing bans in the fail2ban logs, and I want to check in firewallcmd if they are blocked. How can I do it?

fail2ban

2 Answers

  1. Best Answer

    First, I strongly recommend that you use banaction = firewallcmd-ipset as this will provide much better performance when the ban list starts getting large.

    Now, with any of fail2ban's firewalld actions, it will add a direct rule, which you can inspect with firewall-cmd --direct --get-all-rules:

    # firewall-cmd --direct --get-all-rules
ipv4 filter INPUT 0 -p tcp -m multiport --dports ssh -m set --match-set fail2ban-sshd src -j REJECT --reject-with icmp-port-unreachable
ipv4 filter INPUT 0 -p tcp -m multiport --dports 0:65535 -m set --match-set fail2ban-nginx-http-auth src -j REJECT --reject-with icmp-port-unreachable
ipv4 filter INPUT 0 -p tcp -m multiport --dports http,https -m set --match-set fail2ban-nginx-wordpress-login src -j REJECT --reject-with icmp-port-unreachable

    As you can see, I am using firewallcmd-ipset, so the actual banned IP addresses are not listed here. Instead, I find them with ipset list:

    # ipset list
Name: fail2ban-sshd
Type: hash:ip
Revision: 1
Header: family inet hashsize 1024 maxelem 65536 timeout 600
Size in memory: 16528
References: 1
Members:

Name: fail2ban-nginx-http-auth
Type: hash:ip
Revision: 1
Header: family inet hashsize 1024 maxelem 65536 timeout 600
Size in memory: 16528
References: 1
Members:

Name: fail2ban-nginx-wordpress-login
Type: hash:ip
Revision: 1
Header: family inet hashsize 1024 maxelem 65536 timeout 86400
Size in memory: 40656
References: 1
Members:
108.62.172.244 timeout 70819
108.62.172.121 timeout 82750
212.252.164.233 timeout 69907
108.62.24.87 timeout 58024
23.19.127.20 timeout 84310
### many more omitted...
    • 11

  2. Details here: https://fedoraproject.org/wiki/FirewallD#Which_zones_are_available.3F

    • List all zones with the enabled features.

      firewall-cmd --list-all-zones

    • Print zone with the enabled features. If zone is omitted, the default zone will be used.

      firewall-cmd [--zone=<zone>] --list-all

    If the above command is not displaying enough info, you can try

    For the most advanced usage, or for iptables experts, FirewallD provides a direct interface that allows you to pass raw iptables commands to it. Direct Interface rules are not persistent unless the --permanent is used.

    To see all custom chains or rules added to FirewallD:

    firewall-cmd --direct --get-all-chains

    firewall-cmd --direct --get-all-rules

    • 3