I have several RHEL7/CentOS7 servers on which I need to block all OUTGOING traffic to dedicated machines or dedicated network subnets e.g. CIDR 168.192.10.0/24.
For the moment I tried with firewall-cmd but was not lucky. Most of the posts I saw were using iptables but I would rather prefer a solution based on firewalld.
I already tried to base my solution on these two topics Block outgoing connections... and Block outgoing connections on Centos 7 with firewalld but somehow my rules must be wrong since I still can open an http connection to the server.
Current firewalldrules (no rules defined)
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client http https ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
Let's assume server source IP of the server is 168.192.18.56. Next, the rules I tried to define (also with --permanent
firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -d 168.192.10.0/24 -j REJECT
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="168.192.18.56" destination address=168.192.10.0/24 reject'
I also tried with DROP action. The current rules are
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client http https ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
rule family="ipv4" destination address="192.168.10.0/24" log prefix="dropped" level="debug" limit value="20/m" drop
Now not sure if I must reload firewalld? In this case, I would make the rules permanent.
My misunderstanding is now that
- assume on 192.168.10.30 a web server is running.
- I can ping e.g. 192.168.10.30
- I can also open an HTTP connection
wget 192.168.10.30and get theindex.htmlback - I also can ping each machine in the blocked subnets, but perhaps this needs a special rule, I thought by blocking all traffic ICMP would also be blocked
I would appreciate knowing what I'm doing wrong.
