[TOP TIP] firewalld IP blacklist with timeout!

So, you want to quickly and reliable block IP addresses (or netmasks) directly on the firewall, but you don't want to maintain an ever expanding list of IP's that eat your memory?

The solution comes with the 'ipset' package that allows you to create lists with a auto-expunge timeout, once the timer hits zero the IP address is automatically unlisted, thus there is no reason for you to manually monitor the list.

On CentOS 7 you can install ipset via: yum install ipset

On Ubuntu you can install ipset via: apt-get install ipset

First, we need to create a blacklist. You may create as many as you want, based on your needs. For example you may have a blacklist with a timeout of 1 day and another blacklist with a timeout of 1 month.

Here is how to create an ipv4 list, with an initial hash size of 4096 and a 1-month timeout:

# ipset create blacklist hash:ip family inet hashsize 4096 timeout 4294967

Next step, is to tell the firewall (netfilter) via firewalld to block this list:

# firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -m set --match-set blacklist src -j DROP
# firewall-cmd --reload

Setup is over, now we can block IP addresses via the following command:

# ipset add blacklist

and unblock them via:

# ipset del blacklist

One last thing of note. The firewalld rule will attach itself to the INPUT_direct chain. That means if a connection to an IP address has ALREADY been established, the rule will not match. Of course new connections will all fail, but I think its worth mentioning this in case you are wondering why some XYZ IP seems to be active even after banning it.

Be happy :)

0 Replies


Please enter an answer

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct