0

Question 1

I have I very long list 1500+ ips in a file lets say /etc/blocklist.ips each ip in a line of the file. How can I DROP for every ip in the file with firewalld from centos 7 ? also I been looking there are .xml files in /firewald folder so this mean that I should create my blocklist in a .xml file?

Question 2

beeing Firewalld stopped doens't mean rules created with firewalld are not working on iptables right?

Question 3

Flushing iptables will also delete everything on firewalld?

Community
  • 1
MikZuit
  • 391
  • 2
  • 7
  • 16
  • Thank you for posting on ServerFault. Getting good answers requires the effort of [writing a good question](http://meta.serverfault.com/a/3609/37681) and as it stands now yours is three, albeit somewhat related, questions in one, making it slightly difficult to provide you with a quality answer. – HBruijn Mar 09 '15 at 20:44

1 Answers1

3

The best way to manage firewall rules with large numbers of IP-addresses remains with ipset.

Then create a set of ip-addresses:

ipset create blacklist hash:ip hashsize 4096

and add each of the ip-addresses you need to block:

ipset add blacklist 192.168.0.5 
ipset add blacklist 192.168.0.100 
ipset add blacklist 192.168.0.220

AFAIK firewalld does not yet have a API method for adding the required iptables rule that works on the match module so you're going to end up doing something slightly ugly like this, I think: 

firewall-cmd --direct --add-rule ipv4 filter INPUT 0  -m set --match-set blacklist src -j DROP

instead of the usual iptables -I INPUT -m set --match-set blacklist src -j DROP you would have done without firewalld.

HBruijn
  • 77,029
  • 24
  • 135
  • 201