using firewalld and firewall-cmd how to add-rule to primary INPUT chain not INPUT_direct The...
If a Druid sees an animal’s corpse, can they wild shape into that animal?
Write faster on AT24C32
Why did Acorn's A3000 have red function keys?
Are children permitted to help build the Beis Hamikdash?
If I score a critical hit on an 18 or higher, what are my chances of getting a critical hit if I roll 3d20?
FPGA - DIY Programming
Is this app Icon Browser Safe/Legit?
STM32 programming and BOOT0 pin
One word riddle: Vowel in the middle
How to answer pointed "are you quitting" questioning when I don't want them to suspect
Which Sci-Fi work first showed weapon of galactic-scale mass destruction?
Why do we hear so much about the Trump administration deciding to impose and then remove tariffs?
Why was M87 targetted for the Event Horizon Telescope instead of Sagittarius A*?
Right tool to dig six foot holes?
Does the shape of a die affect the probability of a number being rolled?
Can you compress metal and what would be the consequences?
Worn-tile Scrabble
Pokemon Turn Based battle (Python)
How can I autofill dates in Excel excluding Sunday?
Is bread bad for ducks?
How to deal with fear of taking dependencies
Can one be advised by a professor who is very far away?
How to deal with speedster characters?
Geography at the pixel level
using firewalld and firewall-cmd how to add-rule to primary INPUT chain not INPUT_direct
The 2019 Stack Overflow Developer Survey Results Are InIs this firewall completely secure?need iptables rule to accept all incoming trafficHow to allow FORWARDing with firewalld on a Fedora 19 routeriptables not starting on CentOS 6Using iptables to allow LAN and drop WAN of unknown devicesMake traffic go one-way by using iptablesFedora: SSH connection refusedRaspberry Pi + Owncloud + Iptablesfirewall-cmd blocking snmpHow to implement iptables on lxc-container?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
so after reading the firewalld man page and fedora documentation, I have come to the understanding that to add a custom rule to firewall with specific arguements i need to use the structure
firewall-cmd [--permanent] --direct --add-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>
what I am specifically trying to do is create a custom rule with geoip matching to block out all countries that don't originate from the US. Before I do this i need to first add a matching rule that allows access from my local network as I am controlling the server through ssh on a local private network, so I add a rule like so
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -s 192.168.0.0/24 -j ACCEPT
i then add a second rule like so
firewall-cmd --direct --add-rule ipv4 filter INPUT 1 -m geoip ! --src-cc US -j DROP
these add to the input chain, but add under a sub-chain called INPUT_direct, this sub-chain is listed in the generic unchanged INPUT rules list as 3rd and a quick
iptables -L INPUT
shows the INPUT chain as this
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES_SOURCE all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
and the INPUT_direct as
Chain INPUT_direct (1 references)
target prot opt source destination
ACCEPT all -- 192.168.0.0/24 anywhere
DROP all -- anywhere anywhere -m geoip ! --source-country US
this may work for some, but if i run
ping france.fr
I get as a result
PING france.fr (46.18.192.148) 56(84) bytes of data.
64 bytes from ns1-sgg.produhost.net (46.18.192.148): icmp_seq=1 ttl=52 time=136 ms
64 bytes from ns1-sgg.produhost.net (46.18.192.148): icmp_seq=2 ttl=52 time=135 ms
64 bytes from ns1-sgg.produhost.net (46.18.192.148): icmp_seq=3 ttl=52 time=136 ms
this is more than likely due to the INPUT rule #1
iptables -L INPUT 1
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
I realize that I could just simply apply the same custom ruleset to the OUTPUT chain and block out the ping request to france.fr or anything external to the US, but how could I add the ruleset to base INPUT chain so
iptables -L INPUT
shows this instead
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 192.168.0.0/24 anywhere
DROP all -- anywhere anywhere -m geoip ! --source-country US
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES_SOURCE all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
I ask this because I feel like what I want instead of what is the result of the firewall-cmd is a bit more secure, am I wrong? I would like to keep the firewall being controlled by firewalld instead of dropping firewalld and reverting back to iptables for better future integration and possible deprecation issues, so is this even possible with firewalld, or am I going to be forced to run a custom script at boot up that includes
iptables -I INPUT 1 -s 192.168.0.0/24 -j ACCEPT
iptables -I INPUT 2 -m geoip ! --src-cc US -j DROP
and if that is the option where do I place this script?
networking command-line fedora iptables firewalld
asked Oct 7 '15 at 18:24
ChrisChris
1117
bumped to the homepage by Community♦ yesterday
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
so after reading the firewalld man page and fedora documentation, I have come to the understanding that to add a custom rule to firewall with specific arguements i need to use the structure
firewall-cmd [--permanent] --direct --add-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>
what I am specifically trying to do is create a custom rule with geoip matching to block out all countries that don't originate from the US. Before I do this i need to first add a matching rule that allows access from my local network as I am controlling the server through ssh on a local private network, so I add a rule like so
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -s 192.168.0.0/24 -j ACCEPT
i then add a second rule like so
firewall-cmd --direct --add-rule ipv4 filter INPUT 1 -m geoip ! --src-cc US -j DROP
these add to the input chain, but add under a sub-chain called INPUT_direct, this sub-chain is listed in the generic unchanged INPUT rules list as 3rd and a quick
iptables -L INPUT
shows the INPUT chain as this
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES_SOURCE all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
and the INPUT_direct as
Chain INPUT_direct (1 references)
target prot opt source destination
ACCEPT all -- 192.168.0.0/24 anywhere
DROP all -- anywhere anywhere -m geoip ! --source-country US
this may work for some, but if i run
ping france.fr
I get as a result
PING france.fr (46.18.192.148) 56(84) bytes of data.
64 bytes from ns1-sgg.produhost.net (46.18.192.148): icmp_seq=1 ttl=52 time=136 ms
64 bytes from ns1-sgg.produhost.net (46.18.192.148): icmp_seq=2 ttl=52 time=135 ms
64 bytes from ns1-sgg.produhost.net (46.18.192.148): icmp_seq=3 ttl=52 time=136 ms
this is more than likely due to the INPUT rule #1
iptables -L INPUT 1
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
I realize that I could just simply apply the same custom ruleset to the OUTPUT chain and block out the ping request to france.fr or anything external to the US, but how could I add the ruleset to base INPUT chain so
iptables -L INPUT
shows this instead
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 192.168.0.0/24 anywhere
DROP all -- anywhere anywhere -m geoip ! --source-country US
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES_SOURCE all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
I ask this because I feel like what I want instead of what is the result of the firewall-cmd is a bit more secure, am I wrong? I would like to keep the firewall being controlled by firewalld instead of dropping firewalld and reverting back to iptables for better future integration and possible deprecation issues, so is this even possible with firewalld, or am I going to be forced to run a custom script at boot up that includes
iptables -I INPUT 1 -s 192.168.0.0/24 -j ACCEPT
iptables -I INPUT 2 -m geoip ! --src-cc US -j DROP
and if that is the option where do I place this script?
networking command-line fedora iptables firewalld
asked Oct 7 '15 at 18:24
ChrisChris
1117
bumped to the homepage by Community♦ yesterday
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
so after reading the firewalld man page and fedora documentation, I have come to the understanding that to add a custom rule to firewall with specific arguements i need to use the structure
firewall-cmd [--permanent] --direct --add-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>
what I am specifically trying to do is create a custom rule with geoip matching to block out all countries that don't originate from the US. Before I do this i need to first add a matching rule that allows access from my local network as I am controlling the server through ssh on a local private network, so I add a rule like so
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -s 192.168.0.0/24 -j ACCEPT
i then add a second rule like so
firewall-cmd --direct --add-rule ipv4 filter INPUT 1 -m geoip ! --src-cc US -j DROP
these add to the input chain, but add under a sub-chain called INPUT_direct, this sub-chain is listed in the generic unchanged INPUT rules list as 3rd and a quick
iptables -L INPUT
shows the INPUT chain as this
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES_SOURCE all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
and the INPUT_direct as
Chain INPUT_direct (1 references)
target prot opt source destination
ACCEPT all -- 192.168.0.0/24 anywhere
DROP all -- anywhere anywhere -m geoip ! --source-country US
this may work for some, but if i run
ping france.fr
I get as a result
PING france.fr (46.18.192.148) 56(84) bytes of data.
64 bytes from ns1-sgg.produhost.net (46.18.192.148): icmp_seq=1 ttl=52 time=136 ms
64 bytes from ns1-sgg.produhost.net (46.18.192.148): icmp_seq=2 ttl=52 time=135 ms
64 bytes from ns1-sgg.produhost.net (46.18.192.148): icmp_seq=3 ttl=52 time=136 ms
this is more than likely due to the INPUT rule #1
iptables -L INPUT 1
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
I realize that I could just simply apply the same custom ruleset to the OUTPUT chain and block out the ping request to france.fr or anything external to the US, but how could I add the ruleset to base INPUT chain so
iptables -L INPUT
shows this instead
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 192.168.0.0/24 anywhere
DROP all -- anywhere anywhere -m geoip ! --source-country US
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES_SOURCE all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
I ask this because I feel like what I want instead of what is the result of the firewall-cmd is a bit more secure, am I wrong? I would like to keep the firewall being controlled by firewalld instead of dropping firewalld and reverting back to iptables for better future integration and possible deprecation issues, so is this even possible with firewalld, or am I going to be forced to run a custom script at boot up that includes
iptables -I INPUT 1 -s 192.168.0.0/24 -j ACCEPT
iptables -I INPUT 2 -m geoip ! --src-cc US -j DROP
and if that is the option where do I place this script?
networking command-line fedora iptables firewalld
asked Oct 7 '15 at 18:24
ChrisChris
1117
so after reading the firewalld man page and fedora documentation, I have come to the understanding that to add a custom rule to firewall with specific arguements i need to use the structure
firewall-cmd [--permanent] --direct --add-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>
what I am specifically trying to do is create a custom rule with geoip matching to block out all countries that don't originate from the US. Before I do this i need to first add a matching rule that allows access from my local network as I am controlling the server through ssh on a local private network, so I add a rule like so
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -s 192.168.0.0/24 -j ACCEPT
i then add a second rule like so
firewall-cmd --direct --add-rule ipv4 filter INPUT 1 -m geoip ! --src-cc US -j DROP
these add to the input chain, but add under a sub-chain called INPUT_direct, this sub-chain is listed in the generic unchanged INPUT rules list as 3rd and a quick
iptables -L INPUT
shows the INPUT chain as this
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES_SOURCE all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
and the INPUT_direct as
Chain INPUT_direct (1 references)
target prot opt source destination
ACCEPT all -- 192.168.0.0/24 anywhere
DROP all -- anywhere anywhere -m geoip ! --source-country US
this may work for some, but if i run
ping france.fr
I get as a result
PING france.fr (46.18.192.148) 56(84) bytes of data.
64 bytes from ns1-sgg.produhost.net (46.18.192.148): icmp_seq=1 ttl=52 time=136 ms
64 bytes from ns1-sgg.produhost.net (46.18.192.148): icmp_seq=2 ttl=52 time=135 ms
64 bytes from ns1-sgg.produhost.net (46.18.192.148): icmp_seq=3 ttl=52 time=136 ms
this is more than likely due to the INPUT rule #1
iptables -L INPUT 1
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
I realize that I could just simply apply the same custom ruleset to the OUTPUT chain and block out the ping request to france.fr or anything external to the US, but how could I add the ruleset to base INPUT chain so
iptables -L INPUT
shows this instead
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 192.168.0.0/24 anywhere
DROP all -- anywhere anywhere -m geoip ! --source-country US
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES_SOURCE all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
I ask this because I feel like what I want instead of what is the result of the firewall-cmd is a bit more secure, am I wrong? I would like to keep the firewall being controlled by firewalld instead of dropping firewalld and reverting back to iptables for better future integration and possible deprecation issues, so is this even possible with firewalld, or am I going to be forced to run a custom script at boot up that includes
iptables -I INPUT 1 -s 192.168.0.0/24 -j ACCEPT
iptables -I INPUT 2 -m geoip ! --src-cc US -j DROP
and if that is the option where do I place this script?
networking command-line fedora iptables firewalld
networking command-line fedora iptables firewalld
asked Oct 7 '15 at 18:24
ChrisChris
1117
asked Oct 7 '15 at 18:24
ChrisChris
1117
asked Oct 7 '15 at 18:24
ChrisChris
1117
asked Oct 7 '15 at 18:24
ChrisChris
1117
asked Oct 7 '15 at 18:24
ChrisChris
1117
1117
bumped to the homepage by Community♦ yesterday
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
bumped to the homepage by Community♦ yesterday
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
at the moment the best way to effectuate this is to just do exactly what i had proposed which is to not only add the incoming drop rule but also add the outgoing drop so the commands would be
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -s 192.168.0.0/24 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -m geoip ! --src-cc US -j DROP
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -d 192.168.0.0/24 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -m geoip ! --dst-cc US -j DROP
currently there is no other way to add the rule directly to the INPUT or OUTPUT chain through firewall-cmd
I only set out to do this like this because i felt that if some sort of worm or malware got inside my server its outgoing connection to whatever country would be considered RELATED, ASSURED, or ESTABLISHED, but this method by just adding to the delegate_output chain seems to be working to block all outgoing connections so I am satisfied
I am more than sure someone could better this answer by explaining how i could put the command in some init script or systemd script, but i think i would be more happy if fedora would just figure out an option that would add it directly to the primary chain, but maybe this is bad practice
answered Oct 26 '15 at 17:18
ChrisChris
1117
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f983589%2fusing-firewalld-and-firewall-cmd-how-to-add-rule-to-primary-input-chain-not-inpu%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
at the moment the best way to effectuate this is to just do exactly what i had proposed which is to not only add the incoming drop rule but also add the outgoing drop so the commands would be
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -s 192.168.0.0/24 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -m geoip ! --src-cc US -j DROP
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -d 192.168.0.0/24 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -m geoip ! --dst-cc US -j DROP
currently there is no other way to add the rule directly to the INPUT or OUTPUT chain through firewall-cmd
I only set out to do this like this because i felt that if some sort of worm or malware got inside my server its outgoing connection to whatever country would be considered RELATED, ASSURED, or ESTABLISHED, but this method by just adding to the delegate_output chain seems to be working to block all outgoing connections so I am satisfied
I am more than sure someone could better this answer by explaining how i could put the command in some init script or systemd script, but i think i would be more happy if fedora would just figure out an option that would add it directly to the primary chain, but maybe this is bad practice
answered Oct 26 '15 at 17:18
ChrisChris
1117
add a comment |
at the moment the best way to effectuate this is to just do exactly what i had proposed which is to not only add the incoming drop rule but also add the outgoing drop so the commands would be
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -s 192.168.0.0/24 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -m geoip ! --src-cc US -j DROP
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -d 192.168.0.0/24 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -m geoip ! --dst-cc US -j DROP
currently there is no other way to add the rule directly to the INPUT or OUTPUT chain through firewall-cmd
I only set out to do this like this because i felt that if some sort of worm or malware got inside my server its outgoing connection to whatever country would be considered RELATED, ASSURED, or ESTABLISHED, but this method by just adding to the delegate_output chain seems to be working to block all outgoing connections so I am satisfied
I am more than sure someone could better this answer by explaining how i could put the command in some init script or systemd script, but i think i would be more happy if fedora would just figure out an option that would add it directly to the primary chain, but maybe this is bad practice
answered Oct 26 '15 at 17:18
ChrisChris
1117
add a comment |
at the moment the best way to effectuate this is to just do exactly what i had proposed which is to not only add the incoming drop rule but also add the outgoing drop so the commands would be
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -s 192.168.0.0/24 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -m geoip ! --src-cc US -j DROP
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -d 192.168.0.0/24 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -m geoip ! --dst-cc US -j DROP
currently there is no other way to add the rule directly to the INPUT or OUTPUT chain through firewall-cmd
I only set out to do this like this because i felt that if some sort of worm or malware got inside my server its outgoing connection to whatever country would be considered RELATED, ASSURED, or ESTABLISHED, but this method by just adding to the delegate_output chain seems to be working to block all outgoing connections so I am satisfied
I am more than sure someone could better this answer by explaining how i could put the command in some init script or systemd script, but i think i would be more happy if fedora would just figure out an option that would add it directly to the primary chain, but maybe this is bad practice
answered Oct 26 '15 at 17:18
ChrisChris
1117
at the moment the best way to effectuate this is to just do exactly what i had proposed which is to not only add the incoming drop rule but also add the outgoing drop so the commands would be
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -s 192.168.0.0/24 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -m geoip ! --src-cc US -j DROP
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -d 192.168.0.0/24 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -m geoip ! --dst-cc US -j DROP
currently there is no other way to add the rule directly to the INPUT or OUTPUT chain through firewall-cmd
I only set out to do this like this because i felt that if some sort of worm or malware got inside my server its outgoing connection to whatever country would be considered RELATED, ASSURED, or ESTABLISHED, but this method by just adding to the delegate_output chain seems to be working to block all outgoing connections so I am satisfied
I am more than sure someone could better this answer by explaining how i could put the command in some init script or systemd script, but i think i would be more happy if fedora would just figure out an option that would add it directly to the primary chain, but maybe this is bad practice
answered Oct 26 '15 at 17:18
ChrisChris
1117
edited Nov 4 '15 at 22:46
answered Oct 26 '15 at 17:18
ChrisChris
1117
answered Oct 26 '15 at 17:18
ChrisChris
1117
answered Oct 26 '15 at 17:18
ChrisChris
1117
1117
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f983589%2fusing-firewalld-and-firewall-cmd-how-to-add-rule-to-primary-input-chain-not-inpu%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
