[SOLVED] Trying to block a single address in firewalld - not having any luck

mihawk90 · September 13, 2019, 1:17pm

Hey there,

quick backstory: I wanted to try out the jellyfin media server, but got unlucky because there seems to be a bug that makes it crash each time the music library is scanned, see here: https://github.com/jellyfin/jellyfin/issues/1664

There is a possible solution in there by blocking the domain. The example there uses iptables, but since I’m on Fedora and firewalld seems to be the new standard, I wanted to use that.

But I don’t seem to be having any luck with it. So far I figured out that firewalld doesn’t handle domains, only IP addresses. So far so good, getting the IP address is easy enough:

[tarulia@localhost]~% dig +short theaudiodb.com
78.129.196.116

But I can’t seem to be able to add the rule. I tried it via the GUI application that is bundled, but the result is the same when I do it via terminal.

So just to make sure I first checked the actually active zone:

[tarulia@localhost]~% firewall-cmd --get-active-zones
home
  interfaces: enp5s0

The command to add the zone I got from here and adapted it for me:

My command:

[tarulia@localhost]~% firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='78.129.196.116' reject" --zone=home
success

I even checked if the rule was actually applied:

[tarulia@localhost]~% firewall-cmd --list-rich-rules --permanent --zone=home                                     
rule family="ipv4" source address="78.129.196.116" reject

But I can still access the website…

[tarulia@localhost]~% wget theaudiodb.com
--2019-09-13 15:13:33--  http://theaudiodb.com/
Resolving theaudiodb.com (theaudiodb.com)... 78.129.196.116
Connecting to theaudiodb.com (theaudiodb.com)|78.129.196.116|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://theaudiodb.com/ [following]
--2019-09-13 15:13:33--  https://theaudiodb.com/
Connecting to theaudiodb.com (theaudiodb.com)|78.129.196.116|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 31193 (30K) [text/html]
Saving to: ‘index.html’

index.html                   100%[============================================>]  30.46K  --.-KB/s    in 0.001s  

2019-09-13 15:13:34 (26.2 MB/s) - ‘index.html’ saved [31193/31193]

Anyone got a hint for me? I even did a --complete-reload (even though supposedly everything is applied immediately), with the same result…

It seems this is a powerful tool, but also seems to make it really complicated for a seemingly easy task…

nx2l · September 13, 2019, 1:44pm

try drop instead of reject

mihawk90 · September 13, 2019, 1:54pm

Same result

nx2l · September 13, 2019, 2:13pm

firewall-cmd --list-all

mihawk90 · September 13, 2019, 2:18pm

Also, got curious what would be the difference between DROP and REJECT, and from reading this it seems this wouldn’t be much a difference in this case:

http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject

[tarulia@localhost]~% firewall-cmd --list-all
You're performing an operation over default zone ('public'),
but your connections/interfaces are in zone 'home' (see --get-active-zones)
You most likely need to use --zone=home option.

public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client kde-connect mdns ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

[tarulia@localhost]~% firewall-cmd --list-all --zone=home
home (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp5s0
  sources: 
  services: dhcpv6-client mdns samba-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
        rule family="ipv4" source address="78.129.196.116" reject

/edit
wait uh… why is this still REJECT lemme check

Uh OK this is weird:

[tarulia@localhost]~% firewall-cmd --list-rich-rules --permanent --zone=home
rule family="ipv4" source address="78.129.196.116" drop

Why does it show REJECT in --list-all, but DROP in --list-rich-rules?

nx2l · September 13, 2019, 2:21pm

did you reload after doing --perm and drop?

mihawk90 · September 13, 2019, 2:23pm

OK that seems better:

[tarulia@localhost]~% firewall-cmd --complete-reload   
success
[tarulia@localhost]~% firewall-cmd --list-all --zone=home
home (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp5s0
  sources: 
  services: dhcpv6-client mdns samba-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
        rule family="ipv4" source address="78.129.196.116" drop

However I can still reach the domain (with wget as above)

nx2l · September 13, 2019, 2:25pm

Are you sure you have the correct source address?

Are incoming connections being source NAT’d?

mihawk90 · September 13, 2019, 2:30pm

With source address you mean the IP? Well, that’s what comes out of dig, ping, and wget, so I assume it’s right?

Not sure what you mean with the second tbh.
My ISP is using some kind of IPv6 > IPv4 layer for compatibility, but that shouldn’t interfere with it? I mean I do get the correct IP

And the website doesn’t seem to do IPv6 so it’s not a v6 connection:

[tarulia@localhost]~% ping -6 theaudiodb.com
ping: theaudiodb.com: Name or service not known

nx2l · September 13, 2019, 2:40pm

iptables -nvL

mihawk90 · September 13, 2019, 2:42pm

Quite long:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 6037   11M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    8   911 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
  178 35923 INPUT_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  178 35923 INPUT_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  178 35923 INPUT_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    5   353 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
  173 35570 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 FORWARD_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FORWARD_IN_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FORWARD_IN_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FORWARD_OUT_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FORWARD_OUT_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 4586 packets, 435K bytes)
 pkts bytes target     prot opt in     out     source               destination         
  981  234K ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
 4586  435K OUTPUT_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD_IN_ZONES (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 FWDI_home  all  --  enp5s0 *       0.0.0.0/0            0.0.0.0/0           [goto] 
    0     0 FWDI_public  all  --  +      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain FORWARD_IN_ZONES_SOURCE (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD_OUT_ZONES (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 FWDO_home  all  --  *      enp5s0  0.0.0.0/0            0.0.0.0/0           [goto] 
    0     0 FWDO_public  all  --  *      +       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD_direct (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDI_home (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 FWDI_home_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FWDI_home_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FWDI_home_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FWDI_home_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDI_home_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDI_home_log (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDI_public (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 FWDI_public_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FWDI_public_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FWDI_public_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FWDI_public_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDI_public_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDI_public_log (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDO_home (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 FWDO_home_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FWDO_home_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FWDO_home_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FWDO_home_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDO_home_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDO_home_log (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDO_public (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 FWDO_public_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FWDO_public_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FWDO_public_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FWDO_public_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDO_public_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDO_public_log (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT_ZONES (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  178 35923 IN_home    all  --  enp5s0 *       0.0.0.0/0            0.0.0.0/0           [goto] 
    0     0 IN_public  all  --  +      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain INPUT_ZONES_SOURCE (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT_direct (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IN_home (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  178 35923 IN_home_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  178 35923 IN_home_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  178 35923 IN_home_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain IN_home_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW,UNTRACKED
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.251          udp dpt:5353 ctstate NEW,UNTRACKED
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:137 ctstate NEW,UNTRACKED
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:138 ctstate NEW,UNTRACKED

Chain IN_home_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       78.129.196.116       0.0.0.0/0           

Chain IN_home_log (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IN_public (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 IN_public_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 IN_public_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 IN_public_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain IN_public_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW,UNTRACKED
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.251          udp dpt:5353 ctstate NEW,UNTRACKED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpts:1714:1764 ctstate NEW,UNTRACKED
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpts:1714:1764 ctstate NEW,UNTRACKED

Chain IN_public_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IN_public_log (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT_direct (1 references)
 pkts bytes target     prot opt in     out     source               destination

But I thought this wasn’t using iptables?

nx2l · September 13, 2019, 2:58pm

The zero packet count on the drop rule… means you must have the source IP address wrong. (or something else)

nx2l · September 13, 2019, 3:00pm

you dont directly.

firewalld does.

mihawk90 · September 13, 2019, 3:01pm

Not sure how I’m supposed to get the right one then I mean it’s resolved that way apparently

nx2l · September 13, 2019, 3:04pm

tcpdump…

plus curl and wget…

mihawk90 · September 13, 2019, 3:11pm

Never used tcpdump but man that spams a lot…

anyway, seems I’m getting the same address from that:

17:07:54.556441 IP localhost.localdomain.36515 > hitronhub.home.domain: 46751+ A? theaudiodb.com. (32)
17:07:54.556457 IP localhost.localdomain.36515 > hitronhub.home.domain: 26794+ AAAA? theaudiodb.com. (32)
17:07:54.584882 IP hitronhub.home.domain > localhost.localdomain.36515: 46751 1/0/0 A 78.129.196.116 (48)
17:07:54.596708 IP hitronhub.home.domain > localhost.localdomain.36515: 26794 0/1/0 (93)
17:07:54.596846 IP localhost.localdomain.36126 > 78.129.196.116.http: Flags [S], seq 2104237017, win 64240, options [mss 1460,sackOK,TS val 2909849204 ecr 0,nop,wscale 7], length 0
17:07:54.596930 IP localhost.localdomain.37177 > hitronhub.home.domain: 44179+ PTR? 116.196.129.78.in-addr.arpa. (45)
17:07:54.598641 IP hitronhub.home.domain > localhost.localdomain.37177: 44179 NXDomain 0/0/0 (45)
17:07:54.629444 IP 78.129.196.116.http > localhost.localdomain.36126: Flags [S.], seq 2591336676, ack 2104237018, win 8192, options [mss 1420,nop,wscale 8,sackOK,TS val 382631848 ecr 2909849204], length 0
17:07:54.629478 IP localhost.localdomain.36126 > 78.129.196.116.http: Flags [.], ack 1, win 502, options [nop,nop,TS val 2909849236 ecr 382631848], length 0
17:07:54.629519 IP localhost.localdomain.36126 > 78.129.196.116.http: Flags [P.], seq 1:142, ack 1, win 502, options [nop,nop,TS val 2909849236 ecr 382631848], length 141: HTTP: GET / HTTP/1.1
17:07:54.668946 IP 78.129.196.116.http > localhost.localdomain.36126: Flags [P.], seq 1:396, ack 142, win 258, options [nop,nop,TS val 382631852 ecr 2909849236], length 395: HTTP: HTTP/1.1 301 Moved Permanently
17:07:54.668977 IP localhost.localdomain.36126 > 78.129.196.116.http: Flags [.], ack 396, win 501, options [nop,nop,TS val 2909849276 ecr 382631852], length 0
17:07:54.703993 IP localhost.localdomain.51794 > 78.129.196.116.https: Flags [S], seq 2806056158, win 64240, options [mss 1460,sackOK,TS val 2909849311 ecr 0,nop,wscale 7], length 0
17:07:54.734825 IP 78.129.196.116.https > localhost.localdomain.51794: Flags [S.], seq 2266940451, ack 2806056159, win 8192, options [mss 1420,nop,wscale 8,sackOK,TS val 382631859 ecr 2909849311], length 0
17:07:54.734860 IP localhost.localdomain.51794 > 78.129.196.116.https: Flags [.], ack 1, win 502, options [nop,nop,TS val 2909849342 ecr 382631859], length 0
17:07:54.736995 IP localhost.localdomain.51794 > 78.129.196.116.https: Flags [P.], seq 1:518, ack 1, win 502, options [nop,nop,TS val 2909849344 ecr 382631859], length 517
17:07:54.777398 IP 78.129.196.116.https > localhost.localdomain.51794: Flags [.], seq 1:1409, ack 518, win 258, options [nop,nop,TS val 382631863 ecr 2909849344], length 1408
17:07:54.777416 IP localhost.localdomain.51794 > 78.129.196.116.https: Flags [.], ack 1409, win 501, options [nop,nop,TS val 2909849384 ecr 382631863], length 0
17:07:54.777847 IP 78.129.196.116.https > localhost.localdomain.51794: Flags [.], seq 1409:2817, ack 518, win 258, options [nop,nop,TS val 382631863 ecr 2909849344], length 1408
17:07:54.777856 IP localhost.localdomain.51794 > 78.129.196.116.https: Flags [.], ack 2817, win 501, options [nop,nop,TS val 2909849385 ecr 382631863], length 0
17:07:54.808000 IP 78.129.196.116.https > localhost.localdomain.51794: Flags [.], ack 518, win 258, options [nop,nop,TS val 382631866 ecr 2909849385], length 0
17:07:54.808185 IP 78.129.196.116.https > localhost.localdomain.51794: Flags [P.], seq 2817:3792, ack 518, win 258, options [nop,nop,TS val 382631866 ecr 2909849385], length 975
17:07:54.808197 IP localhost.localdomain.51794 > 78.129.196.116.https: Flags [.], ack 3792, win 501, options [nop,nop,TS val 2909849415 ecr 382631866], length 0
17:07:54.812927 IP localhost.localdomain.51794 > 78.129.196.116.https: Flags [P.], seq 518:736, ack 3792, win 501, options [nop,nop,TS val 2909849420 ecr 382631866], length 218
17:07:54.861947 IP 78.129.196.116.https > localhost.localdomain.51794: Flags [P.], seq 3792:3867, ack 736, win 257, options [nop,nop,TS val 382631871 ecr 2909849420], length 75
17:07:54.861963 IP localhost.localdomain.51794 > 78.129.196.116.https: Flags [.], ack 3867, win 501, options [nop,nop,TS val 2909849469 ecr 382631871], length 0
17:07:54.867472 IP localhost.localdomain.51794 > 78.129.196.116.https: Flags [P.], seq 736:933, ack 3867, win 501, options [nop,nop,TS val 2909849474 ecr 382631871], length 197
17:07:54.894310 IP 78.129.196.116.https > localhost.localdomain.51794: Flags [P.], seq 3867:3920, ack 933, win 256, options [nop,nop,TS val 382631874 ecr 2909849474], length 53
17:07:54.894332 IP localhost.localdomain.51794 > 78.129.196.116.https: Flags [.], ack 3920, win 501, options [nop,nop,TS val 2909849501 ecr 382631874], length 0
17:07:54.895087 IP localhost.localdomain.51794 > 78.129.196.116.https: Flags [P.], seq 933:1498, ack 3920, win 501, options [nop,nop,TS val 2909849502 ecr 382631874], length 565
17:07:54.930083 IP 78.129.196.116.https > localhost.localdomain.51794: Flags [.], seq 3920:5328, ack 1498, win 254, options [nop,nop,TS val 382631878 ecr 2909849502], length 1408
17:07:54.930306 IP 78.129.196.116.https > localhost.localdomain.51794: Flags [.], seq 5328:6736, ack 1498, win 254, options [nop,nop,TS val 382631878 ecr 2909849502], length 1408
17:07:54.930318 IP localhost.localdomain.51794 > 78.129.196.116.https: Flags [.], ack 6736, win 501, options [nop,nop,TS val 2909849537 ecr 382631878], length 0
17:07:54.930557 IP 78.129.196.116.https > localhost.localdomain.51794: Flags [.], seq 6736:8144, ack 1498, win 254, options [nop,nop,TS val 382631878 ecr 2909849502], length 1408
17:07:54.930781 IP 78.129.196.116.https > localhost.localdomain.51794: Flags [.], seq 8144:9552, ack 1498, win 254, options [nop,nop,TS val 382631878 ecr 2909849502], length 1408
17:07:54.930791 IP localhost.localdomain.51794 > 78.129.196.116.https: Flags [.], ack 9552, win 501, options [nop,nop,TS val 2909849538 ecr 382631878], length 0
17:07:54.965057 IP 78.129.196.116.https > localhost.localdomain.51794: Flags [P.], seq 9552:11941, ack 1498, win 254, options [nop,nop,TS val 382631882 ecr 2909849538], length 2389
17:07:54.965112 IP localhost.localdomain.51794 > 78.129.196.116.https: Flags [.], ack 11941, win 501, options [nop,nop,TS val 2909849572 ecr 382631882], length 0
17:07:54.969195 IP localhost.localdomain.51794 > 78.129.196.116.https: Flags [P.], seq 1498:1854, ack 11941, win 501, options [nop,nop,TS val 2909849576 ecr 382631882], length 356
17:07:55.017688 IP 78.129.196.116.https > localhost.localdomain.51794: Flags [P.], seq 11941:12063, ack 1854, win 253, options [nop,nop,TS val 382631887 ecr 2909849576], length 122
17:07:55.058675 IP localhost.localdomain.51794 > 78.129.196.116.https: Flags [.], ack 12063, win 501, options [nop,nop,TS val 2909849666 ecr 382631887], length 0
17:07:55.265404 IP 78.129.196.116.https > localhost.localdomain.51794: Flags [.], seq 12063:13471, ack 1854, win 253, options [nop,nop,TS val 382631912 ecr 2909849666], length 1408
17:07:55.265429 IP localhost.localdomain.51794 > 78.129.196.116.https: Flags [.], ack 13471, win 501, options [nop,nop,TS val 2909849872 ecr 382631912], length 0
17:07:55.265613 IP 78.129.196.116.https > localhost.localdomain.51794: Flags [.], seq 13471:14879, ack 1854, win 253, options [nop,nop,TS val 382631912 ecr 2909849666], length 1408
17:07:55.265623 IP localhost.localdomain.51794 > 78.129.196.116.https: Flags [.], ack 14879, win 501, options [nop,nop,TS val 2909849872 ecr 382631912], length 0
17:07:55.265664 IP 78.129.196.116.https > localhost.localdomain.51794: Flags [.], seq 14879:16287, ack 1854, win 253, options [nop,nop,TS val 382631912 ecr 2909849666], length 1408
17:07:55.265674 IP localhost.localdomain.51794 > 78.129.196.116.https: Flags [.], ack 16287, win 501, options [nop,nop,TS val 2909849873 ecr 382631912], length 0
17:07:55.265849 IP 78.129.196.116.https > localhost.localdomain.51794: Flags [.], seq 16287:17695, ack 1854, win 253, options [nop,nop,TS val 382631912 ecr 2909849666], length 1408
17:07:55.265856 IP localhost.localdomain.51794 > 78.129.196.116.https: Flags [.], ack 17695, win 501, options [nop,nop,TS val 2909849873 ecr 382631912], length 0
17:07:55.266036 IP 78.129.196.116.https > localhost.localdomain.51794: Flags [.], seq 17695:19103, ack 1854, win 253, options [nop,nop,TS val 382631912 ecr 2909849666], length 1408
17:07:55.266042 IP localhost.localdomain.51794 > 78.129.196.116.https: Flags [.], ack 19103, win 501, options [nop,nop,TS val 2909849873 ecr 382631912], length 0
17:07:55.266224 IP 78.129.196.116.https > localhost.localdomain.51794: Flags [.], seq 19103:21919, ack 1854, win 253, options [nop,nop,TS val 382631912 ecr 2909849666], length 2816
17:07:55.266232 IP localhost.localdomain.51794 > 78.129.196.116.https: Flags [.], ack 21919, win 495, options [nop,nop,TS val 2909849873 ecr 382631912], length 0
17:07:55.266598 IP 78.129.196.116.https > localhost.localdomain.51794: Flags [.], seq 21919:24735, ack 1854, win 253, options [nop,nop,TS val 382631912 ecr 2909849666], length 2816
17:07:55.266604 IP localhost.localdomain.51794 > 78.129.196.116.https: Flags [.], ack 24735, win 495, options [nop,nop,TS val 2909849873 ecr 382631912], length 0
17:07:55.266785 IP 78.129.196.116.https > localhost.localdomain.51794: Flags [.], seq 24735:26143, ack 1854, win 253, options [nop,nop,TS val 382631912 ecr 2909849666], length 1408
17:07:55.266791 IP localhost.localdomain.51794 > 78.129.196.116.https: Flags [.], ack 26143, win 501, options [nop,nop,TS val 2909849874 ecr 382631912], length 0
17:07:55.294402 IP 78.129.196.116.https > localhost.localdomain.51794: Flags [.], seq 26143:27551, ack 1854, win 253, options [nop,nop,TS val 382631915 ecr 2909849874], length 1408
17:07:55.294417 IP localhost.localdomain.51794 > 78.129.196.116.https: Flags [.], ack 27551, win 501, options [nop,nop,TS val 2909849901 ecr 382631915], length 0
17:07:55.294724 IP 78.129.196.116.https > localhost.localdomain.51794: Flags [.], seq 27551:28959, ack 1854, win 253, options [nop,nop,TS val 382631915 ecr 2909849874], length 1408
17:07:55.294731 IP localhost.localdomain.51794 > 78.129.196.116.https: Flags [.], ack 28959, win 501, options [nop,nop,TS val 2909849902 ecr 382631915], length 0
17:07:55.294867 IP localhost.localdomain.36126 > 78.129.196.116.http: Flags [F.], seq 142, ack 396, win 501, options [nop,nop,TS val 2909849902 ecr 382631852], length 0
17:07:55.294949 IP 78.129.196.116.https > localhost.localdomain.51794: Flags [.], seq 28959:30367, ack 1854, win 253, options [nop,nop,TS val 382631915 ecr 2909849874], length 1408
17:07:55.294956 IP localhost.localdomain.51794 > 78.129.196.116.https: Flags [.], ack 30367, win 495, options [nop,nop,TS val 2909849902 ecr 382631915], length 0
17:07:55.295301 IP 78.129.196.116.https > localhost.localdomain.51794: Flags [.], seq 30367:31775, ack 1854, win 253, options [nop,nop,TS val 382631915 ecr 2909849874], length 1408
17:07:55.295309 IP localhost.localdomain.51794 > 78.129.196.116.https: Flags [.], ack 31775, win 501, options [nop,nop,TS val 2909849902 ecr 382631915], length 0
17:07:55.295488 IP 78.129.196.116.https > localhost.localdomain.51794: Flags [.], seq 31775:35999, ack 1854, win 253, options [nop,nop,TS val 382631915 ecr 2909849874], length 4224
17:07:55.295495 IP localhost.localdomain.51794 > 78.129.196.116.https: Flags [.], ack 35999, win 487, options [nop,nop,TS val 2909849902 ecr 382631915], length 0
17:07:55.295673 IP 78.129.196.116.https > localhost.localdomain.51794: Flags [.], seq 35999:37407, ack 1854, win 253, options [nop,nop,TS val 382631915 ecr 2909849874], length 1408
17:07:55.295680 IP localhost.localdomain.51794 > 78.129.196.116.https: Flags [.], ack 37407, win 501, options [nop,nop,TS val 2909849903 ecr 382631915], length 0
17:07:55.295863 IP 78.129.196.116.https > localhost.localdomain.51794: Flags [P.], seq 37407:43897, ack 1854, win 253, options [nop,nop,TS val 382631915 ecr 2909849874], length 6490
17:07:55.295870 IP localhost.localdomain.51794 > 78.129.196.116.https: Flags [.], ack 43897, win 471, options [nop,nop,TS val 2909849903 ecr 382631915], length 0
17:07:55.296937 IP localhost.localdomain.51794 > 78.129.196.116.https: Flags [F.], seq 1854, ack 43897, win 501, options [nop,nop,TS val 2909849904 ecr 382631915], length 0
17:07:55.328070 IP 78.129.196.116.https > localhost.localdomain.51794: Flags [F.], seq 43897, ack 1855, win 253, options [nop,nop,TS val 382631918 ecr 2909849904], length 0
17:07:55.328093 IP localhost.localdomain.51794 > 78.129.196.116.https: Flags [.], ack 43898, win 501, options [nop,nop,TS val 2909849935 ecr 382631918], length 0
17:07:55.329270 IP 78.129.196.116.http > localhost.localdomain.36126: Flags [F.], seq 396, ack 143, win 258, options [nop,nop,TS val 382631918 ecr 2909849902], length 0
17:07:55.329292 IP localhost.localdomain.36126 > 78.129.196.116.http: Flags [.], ack 397, win 501, options [nop,nop,TS val 2909849936 ecr 382631918], length 0

seems to be everything from that wget request

/edit
Though what I’m wondering the whole time, why are we blocking the source address? Isn’t the source me, because I send the request?

Tried

[tarulia@localhost]~% firewall-cmd --permanent --add-rich-rule="rule family='ipv4' destination address='78.129.196.116' drop" --zone=home
success

Same result

cburn11 · September 13, 2019, 3:37pm

Your problem is in the first line of your iptables printout (well 3rd line, first rule):

  6037   11M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED

When you make your request to 78.129.196.116 it is added to netfilter’s state machine and the response (which would have source 78.129.196.116) matches ctstate related,established which has the ACCEPT target. So the traffic is accepted and no further processing is done. Your block rule never fires.

I can’t speak intelligently about firewalld, but the command:

iptables -I INPUT -s  78.129.196.116 -p tcp -j DROP

will insert a drop rule above the current first ruled

mihawk90 · September 13, 2019, 3:48pm

OK that makes sense, and it indeed seems to work (with both DROP and REJECT).

However this should be possible with Firewalld, right? I mean what’s the point of configuring Firewalld when its settings are overridden by iptables?

On a sidenote: wget seems to take forever to notice it’s unreachable (I assume it trys again as stated in the DROP vs REJECT article above). Can this be configured to be denied immediately?

cburn11 · September 13, 2019, 3:52pm

wget has a --timeout parameter. Alternatively, you could add a drop rule to the output table and never let the request leave your machine in the first place.

mihawk90 · September 13, 2019, 3:55pm

Yes, but I’m talking more general since originally this was meant to be blocked for jellyfin and I don’t know what that uses.

Tried that, but wget still reaches it with just that.