[CentOS] Switching from lokkit (iptables) to firewalld

Tue Feb 4 02:22:17 UTC 2020
Thomas Stephen Lee <lee.iitb at gmail.com>

On Tue, Feb 4, 2020 at 5:34 AM Jerry Geis <jerry.geis at gmail.com> wrote:

> Hi All,
>
> Over the last 20 some years I have a file with about 200K worth of address
> that have "wrongly" tried to connect to my boxes running centos.  So the
> file has one line per address or group of addresses like:
> 2.244.112.0/24
>
> So using the OLD iptables I would run through my file build the
> iptables.txt file and start that with DROP for the IP address. iptables ran
> through the big list in no time.
>
> I was trying to run a script to go through each line and run:
>  firewall-cmd --zone=drop --add-source="$ipblock" --permanent
> but this takes a long time.
>
> What is a "better" way or more efficient way to keep my long list of bad
> addresses and apply them?  Thanks,
>
> Jerry
>

Hi,

If you are using CentOS 7, you can use ipset.

You can add all your IPs and IP ranges to an ipset and do operations on it.

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-setting_and_controlling_ip_sets_using_firewalld

The same should have worked for CentOS 8 except for this,

https://bugzilla.redhat.com/show_bug.cgi?id=1774742

---
Lee