Firewalld with an IP alias (eth0:0)

(Solution found, see below...)

The server (CentOS 7) has multiple public IPs, these are set up via the usual ifcfg-eth0:0 config files and are working fine. I'm trying to adapt to firewalld (coming from iptables). I like to be able to specify open ports per IP alias - with iptables this was done simply by setting the destination IP to match whatever alias needed the port.

I thought with firewalld I could apply a different zone to each interface to achieve the same effect, however it seems I cannot do so.

We start with:

# firewall-cmd --get-active-zones
public
  interfaces: eth0 eth0:0
trusted
  interfaces: eth1

I created a new zone public_web that I wanted to use for eth0:0

# firewall-cmd --permanent --new-zone=public_web
success
# firewall-cmd --permanent --zone=public_web --add-service=http
success
# firewall-cmd --permanent --zone=public_web --add-interface=eth0:0
success
# firewall-cmd --reload
success

But...

# firewall-cmd --get-active-zones
public
  interfaces: eth0 eth0:0
trusted
  interfaces: eth1

I tried --remove-interface, --change-interface and various other commands in various orders, but eth0:0 won't budge. I can't seem to find any documentation anywhere about using aliases, so I'm not sure if this is even the correct way of achieving what I'd like?

Thanks all.


Solution:

The solution is to use the destination tag in a service file, it can only be used once per service.

So let's say you want port 443 on 87.98.256.512, make a copy of the https.xml file (recommend you don't touch originals) to /etc/firewalld/services, here I'll use https-admin.xml

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>HTTPS for 87.98.256.512</short>
  <description>...</description>
  <port protocol="tcp" port="443"/>
  <destination ipv4="87.98.256.512" />
</service>

Then

# firewall-cmd --permanent --zone=public --add-service=https-admin
success
# firewall-cmd --reload
success
# firewall-cmd --zone=public --list-services
http https-admin

And finally confirm this with iptables

Chain IN_public_allow (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            87.98.256.512        tcp dpt:443 ctstate NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 ctstate NEW

Remember: only one destination tag per service, so just make multiple services if that's your requirement.


Solution 1:

The entire interface aliasing functionality is left over from the past. It doesn't actually create a separate interface. You haven't needed to use aliases to assign multiple IPs to a single interface for a long time. Because it isn't a 'real' interface, your firewall software cannot treat it like a real interface. If you use the ip addr command you will see that the addresses are all assigned to the main interface, and the eth0:0 is simply considered to be a label for that address.

With all that in mind, I am not entirely sure what you need to do to adjust your firewall. I suspect you may need to specify ports by IP, and not by the IP address and not the alias.