Using Firewall-cmd to create address specific restrictions in centos 7

linux linux-networking fedora centos7 firewalld

How do I create a firewall rule using firewall-cmd tool (new firewalld) such that I will limit specific network to access only one service and allow all on all service in one zone.

For example:

I have only one interface eno1 and it is associated to the public zone. Http and https services are enabled on that zone. I want to enable ssh access on that zone but but I want to limit the ssh access to a network (eg. 100.0.0.0/8)

What is the best way to do this?


Solution 1:

I searched for the answer but I found many questions related to my own without answers.

After much study, I came around with a workaround. Here is what i did

I Added the interface to the public zone

then

sudo firewall-cmd --permanent --zone=public --add-service=http 
sudo firewall-cmd --permanent --zone=public --add-service=https
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="x.x.x.x/x" service name="ssh" log prefix="ssh" level="info" accept' 
sudo firewall-cmd --reload

Note: The source address could be a range. Just specify the network mask

Since ssh wasn't added for the public zone, it will be blocked by default. The rich rule will enable it for only that source ip.

Any better solution please add.

Related

Multiple SSL certificates to access one ASP.NET application in IIS
What are default postfix smtp settings?
How to speed up file copying onto a VMWare virtual server?
What's the best server to use with ASP.Net on Mono? [closed]
Sync user accounts over multiple linux servers
Is it possible to try Windows Server 2012 with VmWare Server 5.0?
Disable temporary user profile on workstations in a Windows 2008 env
What to do if one doesn't want to receive email bounces?
Printer Won't Print! Long and weird saga
Unable to add user using useradd
error on ec2 volume mount
AGDLP: global vs local groups for job/role groups