2021.09.13 - FirewallD - Part 2

Using FirewallD to block entire countries

• Home
  
  
• Intro
• Getting Started
• Configuring FirewallD

Intro

If you haven't yet you'll probably want to look over my intro to FirewallD, as I'll be building off that: https://nick.5i5.org/2021/03/02/FirewallD. I've found I have a huge issue with DDOS attacks from China. As the websites we host are only for local interest it's pretty unlikley someone in China would legitimately be trying to access them, so if you want to be able to block large chunks of the world (or just a bunch of blocks of IP addresses) you are in the right spot, so read on!

Getting Started

First you'll want a list of IP's to block, in my case a list of all the IP addresses assigned to China. I found this website https://www.ipdeny.com/ipblocks/ which has text files for download. At the time I'm writing this their SSL Cert seems to be messed up, which is why there's at extra flag in my wget command to ignore ssl errors: wget --no-check-certificate https://www.ipdeny.com/ipblocks/data/countries/cn.zone You should end up with a nice long text file with one IP block on each line.

Configuring FirewallD

I'll be primarily following this guide by Red Hat. It is for version 7 but FirewallD works the same in both. We'll be making ipsets to hold all of the addresses. Ipsets can only be made and deleted with the --permanent flag. So first we'll save the current running FirewallD settings, then make an ipset called BadIPs, assign it to the block firewall zone and then reload firewalld:

# firewall-cmd --runtime-to-permanent # firewall-cmd --permanent --new-ipset=BadIPs --type=hash:net # firewall-cmd --permanent --zone=block --add-source=ipset:BadIPs # firewall-cmd --reload
# firewall-cmd --info-ipset=BadIPs BadIPs type: hash:net options: entries:

You can then either add a single entry or import the complete text file (importing the text file did take several minutes):

# firewall-cmd --ipset=BadIPs --add-entry=192.168.200.254 # firewall-cmd --ipset=BadIPs --add-entries-from-file=cn.zone

Assuming everything still works and you didn't lock yourself out of your server then go ahead and save the running config (firewall-cmd --runtime-to-permanent) and you are all set!

-Nick