Why FirewallD is not blocking IPs with ‘reject’ rules

fail2banfirewalldipsetubuntu-18.04

My setup is the follow:

fail2ban with some jails (working fine) using FirewallD to block the caught IPs.

Here is my default Firewall:

myzone
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: rcsa dhcpv6-client http https
  ports: 80/tcp 443/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
        rule family="ipv4" source address="79.48.51.171" port port="3306" protocol="tcp" accept
        rule family="ipv4" source address="155.121.53.253" port port="22" protocol="tcp" accept
        rule family="ipv4" source address="79.48.51.171" port port="22" protocol="tcp" accept

So the ports 80 and 443/tcp are open.

Then, i trigger some fail2ban rules (using an online proxy) and i get this in firewall:

myzone
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: rcsa dhcpv6-client http https
  ports: 80/tcp 443/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
        rule family="ipv4" source address="79.48.51.171" port port="3306" protocol="tcp" accept
        rule family="ipv4" source address="155.121.53.253" port port="22" protocol="tcp" accept
        rule family="ipv4" source address="79.48.51.171" port port="22" protocol="tcp" accept
        rule family="ipv4" source address="37.58.58.206" port port="http" protocol="tcp" reject type="icmp-port-unreachable"
        rule family="ipv4" source address="37.58.58.206" port port="https" protocol="tcp" reject type="icmp-port-unreachable"

So, 2 new rules are added. Fine. Still, that IP is not rejected at all and continues to flood my server despite of those rules in FirewallD.

Is there something wrong with this? I'm switching from UFW to FirewallD.

Best Answer

Debian/Ubuntu don't have a default banaction for firewalld because that's not the default firewall for those distributions.

You should set banaction = firewallcmd-ipset, to make an ipset that fail2ban will insert banned addresses into, and which will then be called from the firewall. Red Hat systems already include this configuration bit, because they use firewalld by default. So you can simply create the same file that they include, at /etc/fail2ban/jail.d/00-firewalld.conf

[DEFAULT]
banaction = firewallcmd-ipset

Related Solutions

CentOS Iptables Fail2Ban – Fix ‘Set Does Not Exist’ Error in Fail2Ban

The ipset command requires IP SET support in the kernel. Specifically, you would be looking for the following settings:

CONFIG_IP_SET=m
CONFIG_IP_SET_HASH_IP=m

And it seems that your kernel is built without ipset support, or at the least, it cannot find these modules. Solve that issue and your error should go away.

Try running find /lib/modules/$(uname -r) -name ip_set.ko to see if you current kernel supports them, and also find /lib/modules -name ip_set.ko to see if any of the installed kernel supports them.

If you need more help, you would have to tell us:

What version of CentOS you are using
What kernel you are running
How you installed fail2ban (from the EPEL repository or manually?)

I should also note that the version of ipset reported in your question (6.19) is what CentOS 7 comes with, so if you are using the original kernel and fail2ban from the EPEL repo everything should just work.

CentOS 6.5 also has support for ip sets and fail2ban is available in EPEL for CentOS 6. These should also work fine.

However, if you are running CentOS 5, then you are likely out of luck. You may have some luck building the modules that ipset comes with, but I am not sure the CentOS 5 kernel is supported at all. If you actually managed to pull that off, and later upgraded the kernel, then it is just a matter of rebuilding the modules for the new kernel.

Firewalld – Blocking All But a Few IPs

The rich rules aren't necessary at all.

If you want to restrict a zone to a specific set of IPs, simply define those IPs as sources for the zone itself (and remove any interface definition that may be present, as they override source IPs).

You probably don't want to do this to the "public" zone, though, since that's semantically meant for public facing services to be open to the world.

Instead, try using a different zone such as "internal" for mostly trusted IP addresses to access potentially sensitive services such as sshd. (You can also create your own zones.)

Warning: don't mistake the special "trusted" zone with the normal "internal" zone. Any sources added to the "trusted" zone will be allowed through on all ports; adding services to "trusted" zone is allowed but it doesn't make any sense to do so.

firewall-cmd --zone=internal --add-service=ssh
firewall-cmd --zone=internal --add-source=192.168.56.105/32
firewall-cmd --zone=internal --add-source=192.168.56.120/32
firewall-cmd --zone=public --remove-service=ssh

The result of this will be a "internal" zone which permits access to ssh, but only from the two given IP addresses. To make it persistent, re-run each command with --permanent appended, or better, by using firewall-cmd --runtime-to-permanent.

Best Answer

Related Solutions

CentOS Iptables Fail2Ban – Fix ‘Set Does Not Exist’ Error in Fail2Ban

Firewalld – Blocking All But a Few IPs

Related Topic