[CentOS] How to block routing/forwarding with firewalld

Tue Jul 12 17:20:11 UTC 2016
Jeff White <jeff.white at wsu.edu>

On CentOS 7 with firewalld I have a box with numerous interfaces acting 
as a NAT gateway.  This works but I noticed that it routes/forwards 
traffic not just from my internal zone to external zone but also between 
interfaces within the internal zone.  How can I prevent that traffic?

I've tried adding direct and rich rules to deny the traffic but it 
doesn't work.  Direct:

firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -s 10.110.4.0/22 -d 
10.110.0.0/22 -j REJECT

That command works, and I see it in `iptables -L` but traffic is still 
allowed.  Rich:

# firewall-cmd --zone=trusted --add-rich-rule='rule family=ipv4 source 
address=10.110.4.0/22 destination address=10.110.0.0/22 reject'
Error: INVALID_RULE: destination action

I can't find any explanation of what that error means.  So, how do you 
tell firewalld to stop forwarding traffic between interfaces?



# firewall-cmd --get-active-zones
public
   interfaces: ens161 ens193
trusted
   interfaces: ens192 ens224 ens256 lo

# firewall-cmd --list-all
public (default, active)
   interfaces: ens161 ens193
   sources:
   services: dhcpv6-client ssh
   ports:
   masquerade: yes
   forward-ports:
   icmp-blocks:
   rich rules:

-- 
Jeff White
HPC Systems Engineer
Information Technology Services - WSU