Firewalld with an IP alias (eth0:0)

centos7 firewalld

(Solution found, see below...)

The server (CentOS 7) has multiple public IPs, these are set up via the usual ifcfg-eth0:0 config files and are working fine. I'm trying to adapt to firewalld (coming from iptables). I like to be able to specify open ports per IP alias - with iptables this was done simply by setting the destination IP to match whatever alias needed the port.

I thought with firewalld I could apply a different zone to each interface to achieve the same effect, however it seems I cannot do so.

We start with:

# firewall-cmd --get-active-zones
public
  interfaces: eth0 eth0:0
trusted
  interfaces: eth1

I created a new zone public_web that I wanted to use for eth0:0

# firewall-cmd --permanent --new-zone=public_web
success
# firewall-cmd --permanent --zone=public_web --add-service=http
success
# firewall-cmd --permanent --zone=public_web --add-interface=eth0:0
success
# firewall-cmd --reload
success

But... 

# firewall-cmd --get-active-zones
public
  interfaces: eth0 eth0:0
trusted
  interfaces: eth1

I tried --remove-interface, --change-interface and various other commands in various orders, but eth0:0 won't budge. I can't seem to find any documentation anywhere about using aliases, so I'm not sure if this is even the correct way of achieving what I'd like?

Thanks all.

Solution:

The solution is to use the destination tag in a service file, it can only be used once per service.

So let's say you want port 443 on 87.98.256.512, make a copy of the https.xml file (recommend you don't touch originals) to /etc/firewalld/services, here I'll use https-admin.xml

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>HTTPS for 87.98.256.512</short>
  <description>...</description>
  <port protocol="tcp" port="443"/>
  <destination ipv4="87.98.256.512" />
</service>

Then

# firewall-cmd --permanent --zone=public --add-service=https-admin
success
# firewall-cmd --reload
success
# firewall-cmd --zone=public --list-services
http https-admin

And finally confirm this with iptables

Chain IN_public_allow (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            87.98.256.512        tcp dpt:443 ctstate NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 ctstate NEW

Remember: only one destination tag per service, so just make multiple services if that's your requirement.


Solution 1:

The entire interface aliasing functionality is left over from the past. It doesn't actually create a separate interface. You haven't needed to use aliases to assign multiple IPs to a single interface for a long time. Because it isn't a 'real' interface, your firewall software cannot treat it like a real interface. If you use the ip addr command you will see that the addresses are all assigned to the main interface, and the eth0:0 is simply considered to be a label for that address.

With all that in mind, I am not entirely sure what you need to do to adjust your firewall. I suspect you may need to specify ports by IP, and not by the IP address and not the alias.

Related

How to fix Logjam vulnerability with MySQL
Using dnsmasq to service multiple subnets
Postfix hard bounced emails are not rejected
Can I use wildcards with SAN self-signed certificates?
'zfs get all' returns properties for file systems with '%' (percent sign) appended
Cannot update Debian Wheezy due to GPG error (NODATA)
Dovecot Quotas are not recalculated nor is mail rejected if quota is exceeded
Failed to start stunnel4 on Ubuntu 15.04
How can I tell where an Amazon AWS key is being used?
Powershell Download via HTTP using Proxy and Checking Remote File Size Fails on Second File
PREROUTING distinguish between INPUT and FORWARD packets
msdeploy via jenkins & service account: connected but "could not authorize"?