How To Block Routing/forwarding With Firewalld

Home » CentOS » How To Block Routing/forwarding With Firewalld
CentOS 2 Comments

On CentOS 7 with firewalld I have a box with numerous interfaces acting as a NAT gateway. This works but I noticed that it routes/forwards traffic not just from my internal zone to external zone but also between interfaces within the internal zone. How can I prevent that traffic?

I’ve tried adding direct and rich rules to deny the traffic but it doesn’t work. Direct:

firewall-cmd –direct –add-rule ipv4 filter INPUT 0 -s 10.110.4.0/22 -d
10.110.0.0/22 -j REJECT

That command works, and I see it in `iptables -L` but traffic is still allowed. Rich:

# firewall-cmd –zone=trusted –add-rich-rule=’rule family=ipv4 source address.110.4.0/22 destination address.110.0.0/22 reject’
Error: INVALID_RULE: destination action

I can’t find any explanation of what that error means. So, how do you tell firewalld to stop forwarding traffic between interfaces?

# firewall-cmd –get-active-zones public
interfaces: ens161 ens193
trusted
interfaces: ens192 ens224 ens256 lo

# firewall-cmd –list-all public (default, active)
interfaces: ens161 ens193
sources:
services: dhcpv6-client ssh
ports:
masquerade: yes
forward-ports:
icmp-blocks:
rich rules:

2 thoughts on - How To Block Routing/forwarding With Firewalld

  • –(Caveat: I’m a firewalld virgin so know only what I’ve read.)

    I believe firewalld works in terms of “zones”, not interfaces. An interface belongs to a zone. So you need to create new zones that contain each interface you want to isolate, based on the default zone properties. You can then issue rules based on those zones.

  • yes, to me too it sort of defines basic logic – one would expect to be able with a “rich rule” to block/ban a host
    (actually there are quite few articles on the net stating it should be doing that)

    public (active)
    interfaces: em3
    sources:
    services: dhcpv6-client ssh
    ports:
    masquerade: yes
    forward-ports:
    icmp-blocks:
    rich rules:
    rule family=”ipv4″ source address=”192.168.2.0/24″
    reject

    yet host from 192.168.2.0/24 (which is firewalld’s zone work) are able to masquerade and access all (in this case whole Internet) behind em3 interface. It smells like a bug to me.