Block outgoing connections on RHEL7/CentOS7 with firewalld?

Question

RHEL7/CentOS7 features a new firewalld firewall service, that replaces the iptables service (both of which use iptables tool to interact with kernel's Netfilter underneath).

firewalld can be easily tuned to block incoming traffic, but as noted by Thomas Woerner 1,5 years ago "limiting outgoing traffic is not possible with firewalld in a simple way at the moment". And as far as I can see the situation hasn't changed since then. Or has it? Is there any way to block outgoing traffic with firewalld? If not are there any other "standard" ways (on RHEL7 distro) of blocking outgoing traffic except manually adding rules through iptables tool?

score 17 · Accepted Answer · edited Oct 17 '14 at 08:20

I didn't find any option in that nice GUI, but it is possible via direct interface

To enable only outgoing port 80:

firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -p tcp -m tcp --dport=80 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -j DROP

This will add it to permanent rules, not the runtime rules.
You will need to reload permanent rules so they become runtime rules.

firewall-cmd --reload

to display permanent rules

firewall-cmd --permanent --direct --get-all-rules

to display runtime rules

firewall-cmd --direct --get-all-rules

score 13 · Answer 2 · edited Apr 10 '16 at 21:59

After asking the same question myself, and with some tinkering, I've gathered some nice rules for restricting outgoing traffic to HTTP/HTTPS and DNS queries:

Allow established connections:

# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -m state --state ESTABLISHED,RELATED -j ACCEPT

Allow HTTP:

# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --dport 80 -j ACCEPT

Allow HTTPS:

# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --dport 443 -j ACCEPT

Allow for DNS queries:

# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --dport 53 -j ACCEPT
# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -p udp --dport 53 -j ACCEPT

Deny everything else:

# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 2 -j DROP

It might be a good idea to test first by omitting the '--permanent' argument.

I am by no means an expert, but this seems to work fine by me :)

score 1 · Answer 3 · answered Jul 28 '15 at 16:04

1

Concerning the GUI; I think you find this under "Direct Configuration". To access it you have to select it in "View". I could be wrong.

Side note

To delete rules; you have to exit and then reenter.

answered Jul 28 '15 at 16:04

user301864

11

Block outgoing connections on RHEL7/CentOS7 with firewalld?

3 Answers3

Linked