Using Firewall-cmd to create address specific restrictions in centos 7
How do I create a firewall rule using firewall-cmd tool (new firewalld) such that I will limit specific network to access only one service and allow all on all service in one zone.
For example:
I have only one interface eno1 and it is associated to the public zone. Http and https services are enabled on that zone. I want to enable ssh access on that zone but but I want to limit the ssh access to a network (eg. 100.0.0.0/8)
What is the best way to do this?
Solution 1:
I searched for the answer but I found many questions related to my own without answers.
After much study, I came around with a workaround. Here is what i did
I Added the interface to the public zone
then
sudo firewall-cmd --permanent --zone=public --add-service=http
sudo firewall-cmd --permanent --zone=public --add-service=https
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="x.x.x.x/x" service name="ssh" log prefix="ssh" level="info" accept'
sudo firewall-cmd --reload
Note: The source address could be a range. Just specify the network mask
Since ssh wasn't added for the public zone, it will be blocked by default. The rich rule will enable it for only that source ip.
Any better solution please add.