How To Block Routing/forwarding With Firewalld
On CentOS 7 with firewalld I have a box with numerous interfaces acting as a NAT gateway. This works but I noticed that it routes/forwards traffic not just from my internal zone to external zone but also between interfaces within the internal zone. How can I prevent that traffic?
I’ve tried adding direct and rich rules to deny the traffic but it doesn’t work. Direct:
firewall-cmd –direct –add-rule ipv4 filter INPUT 0 -s 10.110.4.0/22 -d
10.110.0.0/22 -j REJECT
That command works, and I see it in `iptables -L` but traffic is still allowed. Rich:
# firewall-cmd –zone=trusted –add-rich-rule=’rule family=ipv4 source address.110.4.0/22 destination address.110.0.0/22 reject’
Error: INVALID_RULE: destination action
I can’t find any explanation of what that error means. So, how do you tell firewalld to stop forwarding traffic between interfaces?
# firewall-cmd –get-active-zones public
interfaces: ens161 ens193
trusted
interfaces: ens192 ens224 ens256 lo
# firewall-cmd –list-all public (default, active)
interfaces: ens161 ens193
sources:
services: dhcpv6-client ssh
ports:
masquerade: yes
forward-ports:
icmp-blocks:
rich rules:
2 thoughts on - How To Block Routing/forwarding With Firewalld
–(Caveat: I’m a firewalld virgin so know only what I’ve read.)
I believe firewalld works in terms of “zones”, not interfaces. An interface belongs to a zone. So you need to create new zones that contain each interface you want to isolate, based on the default zone properties. You can then issue rules based on those zones.
yes, to me too it sort of defines basic logic – one would expect to be able with a “rich rule” to block/ban a host
(actually there are quite few articles on the net stating it should be doing that)
public (active)
interfaces: em3
sources:
services: dhcpv6-client ssh
ports:
masquerade: yes
forward-ports:
icmp-blocks:
rich rules:
rule family=”ipv4″ source address=”192.168.2.0/24″
reject
yet host from 192.168.2.0/24 (which is firewalld’s zone work) are able to masquerade and access all (in this case whole Internet) behind em3 interface. It smells like a bug to me.