How to check if firewalld is blocking an incoming ip address

fail2banfirewalld

I have CentOS 7 with firewalld. I installed fail2ban and using the firewallcmd-new action. I am seeing bans in the fail2ban logs, and I want to check in firewallcmd if they are blocked. How can I do it?

Best Answer

First, I strongly recommend that you use banaction = firewallcmd-ipset as this will provide much better performance when the ban list starts getting large.

Now, with any of fail2ban's firewalld actions, it will add a direct rule, which you can inspect with firewall-cmd --direct --get-all-rules:

# firewall-cmd --direct --get-all-rules
ipv4 filter INPUT 0 -p tcp -m multiport --dports ssh -m set --match-set fail2ban-sshd src -j REJECT --reject-with icmp-port-unreachable
ipv4 filter INPUT 0 -p tcp -m multiport --dports 0:65535 -m set --match-set fail2ban-nginx-http-auth src -j REJECT --reject-with icmp-port-unreachable
ipv4 filter INPUT 0 -p tcp -m multiport --dports http,https -m set --match-set fail2ban-nginx-wordpress-login src -j REJECT --reject-with icmp-port-unreachable

As you can see, I am using firewallcmd-ipset, so the actual banned IP addresses are not listed here. Instead, I find them with ipset list:

# ipset list
Name: fail2ban-sshd
Type: hash:ip
Revision: 1
Header: family inet hashsize 1024 maxelem 65536 timeout 600
Size in memory: 16528
References: 1
Members:

Name: fail2ban-nginx-http-auth
Type: hash:ip
Revision: 1
Header: family inet hashsize 1024 maxelem 65536 timeout 600
Size in memory: 16528
References: 1
Members:

Name: fail2ban-nginx-wordpress-login
Type: hash:ip
Revision: 1
Header: family inet hashsize 1024 maxelem 65536 timeout 86400
Size in memory: 40656
References: 1
Members:
108.62.172.244 timeout 70819
108.62.172.121 timeout 82750
212.252.164.233 timeout 69907
108.62.24.87 timeout 58024
23.19.127.20 timeout 84310
### many more omitted...
Related Topic