How to make a network quarantine with firewalld

Surely it is not about reinventing a wheel but a short how-to about commands I cannot remember every time.

Sometimes it is needed to make a fully quarantined machine without incoming and outgoing network access, just with SSH connection from the local network. It can be achieved with a few firewalld / iptables commands.

RHEL 7 and CentOS 7 switched from a lot of well-known command line tools such as sysvinit, netstat, ipconfig to newer technologies (literally - systemctl, journalctl, ss, ip). Using iptables directly is not recommended too due to introducing the firewalld. Best tutorial I found is found at Digital Ocean. Native firewalld zones do no allow outgoing traffic filtering so it is needed to add “direct” rules which are clearly iptables rules. There are also Rich rules but I have not tried them yet.

So let’s assume you are in network 192.168.1.0/255. To filter limit outgoing traffic only to IPv4 SSH connections to local network run as root:

firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -p tcp -m tcp --sport=22 -s 192.168.1.0/16 -d 192.168.1.0/16 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --dport=22 -s 192.168.1.0/16 -d 192.168.1.0/16 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 98 -j DROP
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 99 -j DROP

Then reload the firewalld:

firewall-cmd --reload

Rules are saved permanently at /etc/firewalld/direct.xml. Check the list of loaded rules:

firewall-cmd --direct --get-all-rules

To remove all direct rules run:

firewall-cmd --direct --remove-rules ipv4 filter OUTPUT
firewall-cmd --direct --remove-rules ipv6 filter OUTPUT
firewall-cmd --reload