Firewalld configuration seems ignored on centos 7.3

Question

I would like to only permit http access for some ip ranges on my centos 7.3 server with firewalld. So here my firewalld rules

firewall-cmd  --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens160
  sources:
  services: dhcpv6-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  sourceports:
  icmp-blocks:
  rich rules:
        rule family="ipv4" source address="x.x.x.x/22" port port="80" protocol="tcp" accept
        rule family="ipv4" source address="192.168.209.0/24" port port="80" protocol="tcp" accept
        rule family="ipv4" source address="1.2.3.4/32" port port="80" protocol="tcp" reject
        rule family="ipv4" source address="0.0.0.0/0" port port="80" protocol="tcp" reject

But I still can access from x.x.x.x on port 80 and I don't understand why

With IP tables, here what has been created with my firewalld conf

Chain IN_public_allow (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate NEW
ACCEPT     tcp  --  x.x.x.x/22      anywhere             tcp dpt:http ctstate NEW
ACCEPT     tcp  --  X.X.X.X/16        anywhere             tcp dpt:http ctstate NEW
ACCEPT     tcp  --  ipgg.sdv.fr          anywhere             tcp dpt:http ctstate NEW
ACCEPT     tcp  --  x.x.x.x/24       anywhere             tcp dpt:http ctstate NEW
ACCEPT     tcp  --  x.x.x.x/24     anywhere             tcp dpt:http ctstate NEW

Chain IN_public_deny (1 references)
target     prot opt source               destination
REJECT     tcp  --  ns3098611.ip-94-23-44.eu  anywhere             tcp dpt:http ctstate NEW reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere             tcp dpt:http ctstate NEW reject-with icmp-port-unreachable

But it seems never taken into account. Instead, I think this rule applied first

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere

I started from scratch, here my history

1208 service docker stop 1209 sudo iptables -P INPUT ACCEPT 1210 sudo iptables -P FORWARD ACCEPT 1211 sudo iptables -P OUTPUT ACCEPT 1214 iptables -F 1215 iptables -X 1216 iptables -L 1217 service docker start 1221 firewall-cmd --list-all

I only see trafic passing through the Chain INPUT

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  513 38048 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
 2698  382K INPUT_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 2698  382K INPUT_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 2698  382K INPUT_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    3   132 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
 2691  382K REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Answer 1

Your default policy is ACCEPT, so unless there is a drop or reject rule everything will be accepted. However, more to the point it looks like your first rule specifically allows traffic from x.x.x.x to port 80?

You could also check ipv6, all your rules are for ipv4 so if ipv6 is active it may be wide open.