While firewalld has become the default firewall management tool in RHEL7/CentOS7, its primary focus remains on managing incoming connections. The architectural design makes outbound traffic control more challenging compared to traditional iptables service configurations.
For basic outbound blocking, we can use firewalld's rich rules syntax:
# Block all outgoing traffic
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" direction="output" reject'
firewall-cmd --reloadFor more granular control on specific ports:
# Block outgoing SSH connections
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" port port="22" protocol="tcp" direction="output" reject'
firewall-cmd --reloadCreate a custom zone with strict outbound policies:
# Create new restricted zone
firewall-cmd --permanent --new-zone=restricted
firewall-cmd --permanent --zone=restricted --set-target=DROP
firewall-cmd --permanent --zone=restricted --add-interface=eth0
firewall-cmd --reloadCombine firewalld with ipsets for destination-based filtering:
# Create ipset for blocked destinations
firewall-cmd --permanent --new-ipset=blocked_hosts --type=hash:ip
firewall-cmd --permanent --ipset=blocked_hosts --add-entry=192.168.1.100
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" destination ipset="blocked_hosts" drop'
firewall-cmd --reloadWhen firewalld limitations are too restrictive, consider direct iptables rules that persist through firewalld:
# Create custom chain for outbound filtering
iptables -N OUTBOUND_FILTER
iptables -A OUTPUT -j OUTBOUND_FILTER
iptables -A OUTBOUND_FILTER -p tcp --dport 80 -j DROP
service iptables saveAlways verify your firewall rules and monitor blocked connections:
# View current rules
firewall-cmd --list-all
iptables -L -v -n
# Monitor blocked connections
journalctl -f -u firewalldWhen working with RHEL7/CentOS7 systems, many administrators discover that while firewalld excels at managing inbound traffic, controlling outbound connections requires special handling. The limitation noted by Thomas Woerner in 2013 still largely holds true today.
Firewalld operates through zones and services, with its rules ultimately translated to iptables commands. The default configuration focuses primarily on ingress filtering, leaving egress traffic mostly unrestricted.
The most effective method involves using firewalld's direct interface to pass raw iptables commands:
# Block all outgoing HTTP traffic
sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -p tcp --dport 80 -j DROP
# Make the change permanent
sudo firewall-cmd --runtime-to-permanent
Another approach involves creating dedicated zones for outbound filtering:
# Create a new zone
sudo firewall-cmd --permanent --new-zone=restricted-out
# Set default policy to deny
sudo firewall-cmd --permanent --zone=restricted-out --set-target=DROP
# Add exceptions (e.g., allow DNS)
sudo firewall-cmd --permanent --zone=restricted-out --add-service=dns
# Apply to network interface
sudo firewall-cmd --permanent --zone=restricted-out --add-interface=eth0
For more sophisticated filtering, rich rules provide additional flexibility:
# Allow outbound SSH only to specific IP
sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" destination address="192.168.1.100" service name="ssh" accept'
# Block all other outbound SSH
sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" service name="ssh" reject'
For newer systems, consider switching to nftables backend which offers better outbound control:
# Check if nftables is available
sudo firewall-cmd --get-default-zone
# Switch to nftables backend (requires reboot)
sudo firewall-cmd --set-backend=nftables --permanent
After applying rules, verify with:
# Check active rules
sudo firewall-cmd --direct --get-all-rules
# Check effective iptables rules
sudo iptables -L -n -v
# Monitor traffic
sudo tcpdump -i eth0 -n 'outbound and not host your.gateway.ip'
Remember that managing outbound traffic requires careful planning - blocking too much can disrupt essential system functions like DNS resolution, NTP synchronization, and package updates.