Using Firewall-cmd to create address specific restrictions in centos 7

How do I create a firewall rule using firewall-cmd tool (new firewalld) such that I will limit specific network to access only one service and allow all on all service in one zone.

For example:

I have only one interface eno1 and it is associated to the public zone. Http and https services are enabled on that zone. I want to enable ssh access on that zone but but I want to limit the ssh access to a network (eg. 100.0.0.0/8)

What is the best way to do this?


Solution 1:

I searched for the answer but I found many questions related to my own without answers.

After much study, I came around with a workaround. Here is what i did

I Added the interface to the public zone

then

sudo firewall-cmd --permanent --zone=public --add-service=http 
sudo firewall-cmd --permanent --zone=public --add-service=https
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="x.x.x.x/x" service name="ssh" log prefix="ssh" level="info" accept' 
sudo firewall-cmd --reload

Note: The source address could be a range. Just specify the network mask

Since ssh wasn't added for the public zone, it will be blocked by default. The rich rule will enable it for only that source ip.

Any better solution please add.