cenos7 : firewall-cmd, Lockdown, fail2ban-firewalld Hint

masquerade

firewall-cmd --zone=external --query-masquerade

firewall-cmd --zone=external --add-masquerade

external port forward

firewall-cmd --zone=external --list-all

firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=2222:toaddr=192.168.0.11

Lockdown

# vi /etc/firewalld/firewalld.conf

Lockdown=yes

# firewall-cmd --reload

# firewall-cmd --query-lockdown

# firewall-cmd --lockdown-on

# firewall-cmd --lockdown-off

Block IP

# firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.41" accept'

# firewall-cmd --list-all

# firewall-cmd --zone=public --remove-rich-rule='rule family="ipv4" source address="192.168.0.41" accept'

# firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.41" reject'

# firewall-cmd --list-all

# firewall-cmd --zone=public --remove-rich-rule='rule family="ipv4" source address="192.168.0.41"reject'

fail2ban-firewalld

yum install fail2ban fail2ban-firewalld fail2ban-systemd

systemctl enable fail2ban

systemctl start fail2ban.service

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

vi /etc/fail2ban/jail.local

#backend = auto

backend = systemd

#banaction = iptables-multiport

banaction = firewallcmd-ipset

[sshd]

enabled = true

port    = ssh

logpath = %(sshd_log)s

maxretry = 5

bantime = 300

#action = firewallcmd-ipset
[sshd-ddos]

enabled = true

port    = ssh

logpath = %(sshd_log)s

systemctl restart fail2ban.service

tail -f /var/log/fail2ban.log

fail2ban-client status

fail2ban-client status sshd

fail2ban-client set sshd unbanip 192.168.0.41