To verify if firewalld is actively blocking an IP address, use these commands:
# List all rich rules (where IP blocks are typically stored)
sudo firewall-cmd --list-rich-rules
# Alternative: check direct rules
sudo firewall-cmd --direct --get-all-rules
When working with fail2ban, you'll want to specifically check for banned IPs. This grep command helps filter results:
# Search for a specific IP (replace 192.168.1.100)
sudo firewall-cmd --list-rich-rules | grep "192.168.1.100"
# For fail2ban-specific chains:
sudo firewall-cmd --direct --get-all-rules | grep f2b
The firewallcmd-new action in fail2ban typically creates rich rules with these characteristics:
- Source IP restriction
- Target DROP or REJECT
- Service restriction (often ssh for SSH brute force attacks)
Example rule you might see for a banned IP:
rule family="ipv4" source address="203.0.113.45" service name="ssh" reject
Case 1: IP appears in fail2ban log but not in firewalld
# Check fail2ban log for the ban
sudo grep "Ban" /var/log/fail2ban.log
# Verify firewalld is the active backend
sudo fail2ban-client status sshd | grep "Currently banned"
Case 2: Checking if rules persist after reload
# Check runtime configuration
sudo firewall-cmd --list-rich-rules
# Check permanent configuration
sudo firewall-cmd --permanent --list-rich-rules
For regular monitoring, create a script to cross-check fail2ban bans with firewalld rules:
#!/bin/bash
# Get banned IPs from fail2ban
BANNED_IPS=$(sudo fail2ban-client status sshd | grep "IP list" | awk '{print $NF}' | tr ',' '\n')
for IP in $BANNED_IPS; do
echo "Checking $IP:"
sudo firewall-cmd --list-rich-rules | grep "$IP" || echo "NOT FOUND in firewalld"
done
Remember that firewalld has runtime and permanent configurations. To make bans persist:
# If rules aren't persisting, check your fail2ban action config
# Typically in /etc/fail2ban/action.d/firewallcmd-new.conf
# Look for the --permanent flag in actionban
# To reload firewalld without losing runtime rules:
sudo firewall-cmd --reload
When using fail2ban with firewalld on CentOS 7 through the firewallcmd-new action, banned IPs are typically added to the firewall's drop zone. Here's how to verify these blocks effectively:
The primary command to examine current firewall rules:
sudo firewall-cmd --direct --get-all-rulesMore specifically for IPv4 bans:
sudo firewall-cmd --direct --get-all-rules ipv4 filter INPUTTo isolate fail2ban-related blocks (assuming default configuration):
sudo firewall-cmd --direct --get-all-rules | grep 'fail2ban\|f2b'For a more detailed view of active blocks:
sudo iptables -L -n -v | grep DROPTo check if a particular IP is being blocked:
sudo firewall-cmd --direct --get-all-rules | grep '123.45.67.89'For comprehensive troubleshooting:
# Check fail2ban jail status
sudo fail2ban-client status <jail_name>
# List all active jails
sudo fail2ban-client status
# View firewall's permanent configuration
sudo firewall-cmd --list-all --permanentTypical output from firewall-cmd --direct --get-all-rules might show:
ipv4 filter INPUT_direct 0 -p tcp -m multiport --dports 22 -m set --match-set fail2ban-sshd src -j REJECT --reject-with icmp-port-unreachableThis indicates fail2ban is blocking SSH (port 22) access for IPs in the fail2ban-sshd set.
Remember that changes might need to be made permanent:
sudo firewall-cmd --runtime-to-permanentFor regular monitoring, consider this bash script:
#!/bin/bash
JAIL="sshd"
BANNED_IPS=$(sudo fail2ban-client status $JAIL | grep "Banned IP list:" | cut -d: -f2 | xargs)
for IP in $BANNED_IPS; do
if ! sudo firewall-cmd --direct --get-all-rules | grep -q "$IP"; then
echo "WARNING: $IP appears in fail2ban but not in firewalld rules"
fi
done