How can I use docker without sudo?

Question

George Udosen

Asked: 2018-10-10 05:45:18 +0800 CST2018-10-10 05:45:18 +0800 CST 2018-10-10 05:45:18 +0800 CST

Block Webpage Using Firewalld

772

I am trying to get my firewalld to block an ip address with the rules:

sudo firewall-cmd --zone=block --add-source=<ip_address/submask> --permanent, and also adding this richrule to the default zone (public)
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address=<ip_address> reject, then finally I reload the rule with sudo firewall-cmd --reload

But still I can navigate to the sites in my browser. Obviously I am doing some thing wrong. How can I block access to any webpage using firewalld.

These are my zone rules set:

block (active)
  interfaces: enp0s3
  sources: 172.217.5.110/32 216.49.176.33/32
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 


public (default, active)
  interfaces: docker0
  sources: 
  services: dhcpv6-client ssh
  ports: 993/tcp 995/udp 995/tcp 22161/udp 4243/tcp 22/tcp 22/udp 465/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules:

1 Answers

Voted

George Udosen · Answer 1 · 2018-10-12T07:43:43+08:00

Ok after a lot of digging I finally got it to work. It requires I add what is called a direct rule, so to block an ip like 216.49.176.33 the rule to add would be:

sudo firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -d 216.49.176.33/32 -p tcp -m tcp --dport=80 -j DROP

sudo firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -d 216.49.176.33/32 -p tcp -m tcp --dport=443 -j DROP

Then reload with:

sudo firewall-cmd --reload

To see the added rules:

sudo firewall-cmd --direct --get-all-rules

Now remove the interface from the default zone which in my case was public as the rule says if:

if my interface is associated with a zone, in this case public then any requests from that interface will go through since the zone has no restrictions placed on the interface.

The rule used by firewalld is: When packet is received or generated, what zone matches that packet. Then the rules in that zone will be applied to the that packet to determine what happens to it.

To remove I used;

sudo firewall-cmd --permanent --remove-interface=enp0s3
sudo firewall-cmd --reload

NOTE:

After this you will have to clear browsing data from the browser(s) involved and after that you will be unable to access that ip address and note I also used the mask 32 to make sure those ip's that have with multiple ip's pointing to their domain will be block.

I also Of course the CHAIN option can be INPUT to prevent in ward bound traffic as well. The option --dport=<80|443> is used to catch both http and https traffics.

Usage:

usage: --direct --add-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>

Block Webpage Using Firewalld

How to install Google Chrome

Is there a command to list all users? Also to add, delete, modify users, in the terminal?

How to delete a non-empty directory in Terminal?

How to unzip a zip file from the Terminal?

How can I copy the contents of a folder to another folder in a different directory using terminal?

How do I install a .deb file via the command line?

How do I run .sh scripts?

How do I install a .tar.gz (or .tar.bz2) file?

How to list all installed packages

Unable to lock the administration directory (/var/lib/dpkg/) is another process using it?