[CentOS] CentOS 7 - Firewall always allows outgoing packets?

Tue Aug 12 15:58:41 UTC 2014
Jonathan Billings <billings at negate.org>

On Tue, Aug 12, 2014 at 09:59:17AM -0500, Valeri Galtsev wrote:
>
> Wonderful!
> 
> Can you do with firewalld an equivalent of the following done with iptables:
> 
> :SSHSCAN - [0:0]
> -A INPUT -p tcp --dport 22 -m state --state NEW -j SSHSCAN
> -A SSHSCAN -m recent --set --name SSH
> -A SSHSCAN -m recent --update --seconds 300 --hitcount 10 --name SSH -j DROP
> -A INPUT -p tcp --dport 22 -j ACCEPT

Yes, I believe that's possible with the 'firewall-cmd --direct
--addchain ...' and 'firewall-cmd --direct --add-rule ...' syntax:

# firewall-cmd --permanent --direct --add-chain ipv4 filter SSHSCAN
success
# firewall-cmd --permanent --direct --add-rule ipv4 filter IN_public_allow -p tcp --dport 22 -m state --state NEW -j SSHSCAN
success
# firewall-cmd --permanent --direct --add-rule ipv4 filter IN_public_allow 0 -p tcp --dport 22 -m state --state NEW -j SSHSCAN
success
# firewall-cmd --permanent --direct --add-rule ipv4 filter SSHSCAN 0 -m recent --set --name SSH
success
# firewall-cmd --permanent --direct --add-rule ipv4 filter SSHSCAN 1 -m recent --update --seconds 300 --hitcount 10 --name SSH -j DROP
success
# firewall-cmd --permanent --direct --add-rule ipv4 filter IN_public_allow 1 -p tcp --dport 22 -j ACCEPT
success

This has the handy side-effect of being able to just drop this in
/etc/firewalld/direct.xml:

# cat /etc/firewalld/direct.xml
<?xml version="1.0" encoding="utf-8"?>
<direct>
  <chain table="filter" ipv="ipv4" chain="SSHSCAN"/>
  <rule priority="0" table="filter" ipv="ipv4" chain="IN_public_allow">-p tcp --dport 22 -m state --state NEW -j SSHSCAN</rule>
  <rule priority="1" table="filter" ipv="ipv4" chain="IN_public_allow">-p tcp --dport 22 -j ACCEPT</rule>
  <rule priority="0" table="filter" ipv="ipv4" chain="SSHSCAN">-m recent --set --name SSH</rule>
  <rule priority="1" table="filter" ipv="ipv4" chain="SSHSCAN">-m recent --update --seconds 300 --hitcount 10 --name SSH -j DROP</rule>
</direct>


You could also make sure that it's added to other zones other than
'public' (by using something other than IN_public_allow).

This is a *great* example of why firewalld wins over the old
monolithic /etc/sysconfig/iptables.  It's just a file I can manage
with my CM tools.  Changes to other firewall rules (such as allowing
in port 80 for web servers) doesn't rewrite editing this file.


-- 
Jonathan Billings <billings at negate.org>