Related

Join the DigitalOcean Community Community

Join 1M+ other developers and:

  • Get help and share knowledge in Q&A
  • Subscribe to topics of interest
  • Get courses & tools that help you grow as a developer or small business owner
 Join Now
How can I allow IGMP-traffic in FirewallD? Question Question
How to stop udp/tcp ddos attack? Question Question

Question

How to block IP range or country with firewalld?

Posted December 7, 2016 40.3k views
CentOSFirewall

Hello,

How can I block IP range or entire country on CentOS 7 with FirewallD? The IP range starts with 180.76.15.* and is Chinese IP.

The command below works for single IP but not for range:

firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='180.76.15.154' reject"

I tried with this command for the range but without success:

firewall-cmd –permanent –add-rich-rule=“rule family=‘ipv4’ source address='180.76.15/24’ reject”

Cheers

Add a comment
swbot
By:
swbot

Related

Join the DigitalOcean Community Community

Join 1M+ other developers and:

  • Get help and share knowledge in Q&A
  • Subscribe to topics of interest
  • Get courses & tools that help you grow as a developer or small business owner
 Join Now
How can I allow IGMP-traffic in FirewallD? Question Question
How to stop udp/tcp ddos attack? Question Question

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
6 answers
xMudrii December 7, 2016

I think the correct command is:

firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='180.76.15.0/24' reject"

Pay attention to highlighted part

Reply Report
timothydpulliam September 9, 2018

You have to reload firewalld after adding a permanent rule.

firewall-cmd --reload
Reply Report
swbot December 7, 2016

Thank you xMudrii,

This command is executed successfully. Lets see if it works and the Chinese visitors from 180.76.15* will not have access to the site anymore.

Cheers,
Ivo

Reply Report
swbot December 7, 2016

The command is not working, I run the command and reload my firewall for the changes to take effect, but unfortunately the 180.76.15* still have access to my site. Any other ideas?

Reply Report
pscot March 2, 2020
[deleted]
Reply Report
tsanders December 21, 2020

Yeah, I have an idea, why not utilize “UFW” or iptables (conntrack allows the user to log access).

dnf install ufw -y
systemctl enable –now ufw
systemctl start –now ufw

ufw enable

ufw insert 1 deny in from 180.76.15.0/24 to any comment "Block China Access" # Blocks TCP and UDP access

iptables

iptables -I INPUT 1 -p all -s 180.76.15.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j REJECT
Reply Report

Related

Looking for something else?

Ask a new question Search for more help