How to check if firewalld is blocking an incoming ip address?

fail2ban firewalld

Solution 1:

First, I strongly recommend that you use banaction = firewallcmd-ipset as this will provide much better performance when the ban list starts getting large.

Now, with any of fail2ban's firewalld actions, it will add a direct rule, which you can inspect with firewall-cmd --direct --get-all-rules:

# firewall-cmd --direct --get-all-rules
ipv4 filter INPUT 0 -p tcp -m multiport --dports ssh -m set --match-set fail2ban-sshd src -j REJECT --reject-with icmp-port-unreachable
ipv4 filter INPUT 0 -p tcp -m multiport --dports 0:65535 -m set --match-set fail2ban-nginx-http-auth src -j REJECT --reject-with icmp-port-unreachable
ipv4 filter INPUT 0 -p tcp -m multiport --dports http,https -m set --match-set fail2ban-nginx-wordpress-login src -j REJECT --reject-with icmp-port-unreachable

As you can see, I am using firewallcmd-ipset, so the actual banned IP addresses are not listed here. Instead, I find them with ipset list:

# ipset list
Name: fail2ban-sshd
Type: hash:ip
Revision: 1
Header: family inet hashsize 1024 maxelem 65536 timeout 600
Size in memory: 16528
References: 1
Members:

Name: fail2ban-nginx-http-auth
Type: hash:ip
Revision: 1
Header: family inet hashsize 1024 maxelem 65536 timeout 600
Size in memory: 16528
References: 1
Members:

Name: fail2ban-nginx-wordpress-login
Type: hash:ip
Revision: 1
Header: family inet hashsize 1024 maxelem 65536 timeout 86400
Size in memory: 40656
References: 1
Members:
108.62.172.244 timeout 70819
108.62.172.121 timeout 82750
212.252.164.233 timeout 69907
108.62.24.87 timeout 58024
23.19.127.20 timeout 84310
### many more omitted...

Solution 2:

Details here: https://fedoraproject.org/wiki/FirewallD#Which_zones_are_available.3F

  • List all zones with the enabled features.

    firewall-cmd --list-all-zones

  • Print zone with the enabled features. If zone is omitted, the default zone will be used.

    firewall-cmd [--zone=<zone>] --list-all

If the above command is not displaying enough info, you can try

  • iptables Direct Interface (Quoted from:Introduction to FirewallD on CentOS)

For the most advanced usage, or for iptables experts, FirewallD provides a direct interface that allows you to pass raw iptables commands to it. Direct Interface rules are not persistent unless the --permanent is used.

To see all custom chains or rules added to FirewallD:

firewall-cmd --direct --get-all-chains

firewall-cmd --direct --get-all-rules

Related

What happens in the real world Internet - BGP and OSPF?
Manage SSH keys
Unable to create mysql database through ansible
Proxy Websockets and HTTP through the same location in Nginx
ssh on cygwin (win10): read_passphrase: can't open /dev/tty:
How can I add in Apache Feature Policy Header?
SSH "lag" in LAN on some machines, mixed distros [closed]
Investigating beyond RAID for disk cluster in a server, is Dynamic Disk Pool comparable? [closed]
In windows systems, is renaming files functionally similar to deleting them?
Too many open files (CentOS7) - already tried setting higher limits
How to replace a third party AWS cloud accounts provider with bespoke account governance?
How to find the limits of integration for a convolution of pdfs?