How to check if firewalld is blocking an incoming ip address?
Solution 1:
First, I strongly recommend that you use banaction = firewallcmd-ipset
as this will provide much better performance when the ban list starts getting large.
Now, with any of fail2ban's firewalld actions, it will add a direct rule, which you can inspect with firewall-cmd --direct --get-all-rules
:
# firewall-cmd --direct --get-all-rules
ipv4 filter INPUT 0 -p tcp -m multiport --dports ssh -m set --match-set fail2ban-sshd src -j REJECT --reject-with icmp-port-unreachable
ipv4 filter INPUT 0 -p tcp -m multiport --dports 0:65535 -m set --match-set fail2ban-nginx-http-auth src -j REJECT --reject-with icmp-port-unreachable
ipv4 filter INPUT 0 -p tcp -m multiport --dports http,https -m set --match-set fail2ban-nginx-wordpress-login src -j REJECT --reject-with icmp-port-unreachable
As you can see, I am using firewallcmd-ipset
, so the actual banned IP addresses are not listed here. Instead, I find them with ipset list
:
# ipset list
Name: fail2ban-sshd
Type: hash:ip
Revision: 1
Header: family inet hashsize 1024 maxelem 65536 timeout 600
Size in memory: 16528
References: 1
Members:
Name: fail2ban-nginx-http-auth
Type: hash:ip
Revision: 1
Header: family inet hashsize 1024 maxelem 65536 timeout 600
Size in memory: 16528
References: 1
Members:
Name: fail2ban-nginx-wordpress-login
Type: hash:ip
Revision: 1
Header: family inet hashsize 1024 maxelem 65536 timeout 86400
Size in memory: 40656
References: 1
Members:
108.62.172.244 timeout 70819
108.62.172.121 timeout 82750
212.252.164.233 timeout 69907
108.62.24.87 timeout 58024
23.19.127.20 timeout 84310
### many more omitted...
Solution 2:
Details here: https://fedoraproject.org/wiki/FirewallD#Which_zones_are_available.3F
-
List all zones with the enabled features.
firewall-cmd --list-all-zones
-
Print zone with the enabled features. If zone is omitted, the default zone will be used.
firewall-cmd [--zone=<zone>] --list-all
If the above command is not displaying enough info, you can try
- iptables Direct Interface (Quoted from:Introduction to FirewallD on CentOS)
For the most advanced usage, or for iptables experts, FirewallD provides a direct interface that allows you to pass raw iptables commands to it. Direct Interface rules are not persistent unless the --permanent is used.
To see all custom chains or rules added to FirewallD:
firewall-cmd --direct --get-all-chains
firewall-cmd --direct --get-all-rules