block all but a few ips with firewalld

command-line-interface fedora firewalld

On a linux networked machine, i would like to restrict the set of addresses on the "public" zone (firewalld concept), that are allowed to reach it. So the end result would be no other machine can access any port or protocol, except those explicitly allowed, sort of a mix of 

  --add-rich-rule='rule family="ipv4" source not  address="192.168.56.120" drop'

  --add-rich-rule='rule family="ipv4" source not  address="192.168.56.105" drop'

The problem above is that this is not a real list, it will block everything since if its one address its blocked by not being the same as the other, generating an accidental "drop all" effect, how would i "unblock" a specific non contiguous set? does source accept a list of addresses? i have not see anything in my look at the docs or google result so far.

EDIT: I just created this:

# firewall-cmd  --zone=encrypt --list-all
encrypt (active)
  interfaces: eth1
  sources: 192.168.56.120
  services: ssh
  ports: 6000/tcp
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules:

But i can still reach port 6000 from .123 my intention was that if a source is not listed, it should not be able to reach any service or port


Solution 1:

The rich rules aren't necessary at all.

If you want to restrict a zone to a specific set of IPs, simply define those IPs as sources for the zone itself (and remove any interface definition that may be present, as they override source IPs).

You probably don't want to do this to the "public" zone, though, since that's semantically meant for public facing services to be open to the world.

Instead, try using a different zone such as "internal" for mostly trusted IP addresses to access potentially sensitive services such as sshd. (You can also create your own zones.)

Warning: don't mistake the special "trusted" zone with the normal "internal" zone. Any sources added to the "trusted" zone will be allowed through on all ports; adding services to "trusted" zone is allowed but it doesn't make any sense to do so.

firewall-cmd --zone=internal --add-service=ssh
firewall-cmd --zone=internal --add-source=192.168.56.105/32
firewall-cmd --zone=internal --add-source=192.168.56.120/32
firewall-cmd --zone=public --remove-service=ssh

The result of this will be a "internal" zone which permits access to ssh, but only from the two given IP addresses. To make it persistent, re-run each command with --permanent appended, or better, by using firewall-cmd --runtime-to-permanent.

Solution 2:

First install and start firewalld service

sudo yum install -y firewalld
sudo systemctl start firewalld

Then open source IP addresses 192.168.56.120 and 192.168.56.121.

Open ssh 22 for remote shell if needed and use [--permanent] flag to keep changes after system reboot.

sudo firewall-cmd --zone=public --permanent --add-service=ssh
sudo firewall-cmd --zone=public --permanent --add-source=192.168.56.120
sudo firewall-cmd --zone=public --permanent --add-source=192.168.56.121

Then reload firewalld service to activate new configuration

sudo systemctl reload firewalld

You can also mix incoming address and destination port using rich rules feature of firewall-cmd

Solution 3:

As per firewalld.richlanguage:

Source source [not] address="address[/mask]"

   With the source address the origin of a connection attempt can be limited to the source address. An address is either a single IP address, or a network IP address. The address has to match the rule family (IPv4/IPv6). Subnet mask is expressed in either
   dot-decimal (/x.x.x.x) or prefix (/x) notations for IPv4, and in prefix notation (/x) for IPv6 network addresses. It is possible to invert the sense of an address by adding not before address. All but the specified address will match then.

Specify a netmask for the address to allow contiguous blocks.

Other than that, you could try creating an ipset for a non-contiguous list of allowed IPs.

For example, in /etc/firewalld/direct.xml:

<?xml version="1.0" encoding="utf-8"?>
<direct>
   <rule ipv="ipv4" table="filter" chain="INPUT" priority="0">-m set --match-set whitelist src -j ACCEPT</rule>
</direct>

The actual ipset has to be created separately.

Related

"No worthy mechs found" when trying to relay email to Gmail using Postfix
How browsers handle multiple IPs [closed]
How big should the swap partition be?
Mercurial (hg) with active directory
How to update the class object in system verilog after constructing?
Setting a default value in sqlalchemy
Azure B2C Logout implementation in ASP.NET Core?
How can I compile simple app for android in linux terminal from text file (source codes)? [duplicate]
Handling multiple experimental annotations throughout an app
CSS Transitions Rotating img
Powershell Format-Wide and Sorting
Compile with c++17 mac