FirewallD : Allow connections only from certain IP addresses [duplicate]

centos7 firewalld firewalld-zone

I am trying to use FirewallD to restrict access to a CentOS server from other machines on the network. It has a single network interface and it is operating in the public zone. Lets say that the ip address of this server 10.10.1.20.

What I want to do is to allow only machines with IP addresses 10.10.1.125 and 10.10.1.126 to be able to connect (ssh and https) to this server. None of the other ip addresses should be able to connect to this server (or even know that it exists).

I tried using FirewallD's rich rules as follows (on 10.10.1.20)

sudo firewall-cmd --add-rich-rule 'rule family="ipv4" source address="10.10.1.0/24" drop'

sudo firewall-cmd --add-rich-rule 'rule family="ipv4" source address="10.10.1.125" accept'

sudo firewall-cmd --add-rich-rule 'rule family="ipv4" source address="10.10.1.126" accept'

But it doesn't seem to work. I cannot make ssh connections to 10.10.1.20 from 10.10.1.125 or 10.10.1.126.

I tried entering the rules in the reverse order, but it still does not work.

Can someone help me out here? Do I need to change the zone from public to a more restrictive one like drop before the rules I wrote above can be applied?


Solution 1:

Rich rules aren't the way to go about this. They'll just create confusion, now and later.

Understand that a firewalld zone corresponds to a set of services that you may wish to allow, and the sources of the traffic to those services.

All you have to do is to set the services you want to allow in the zone (which you probably already have done) and then set the sources.

Traffic sources can be designated in two ways: By interface, or by source IP address. Traffic that matches any source passes this check.

So, what you want to do is to add the IP addresses allowed to reach the services, and then remove the interface (if any).

firewall-cmd --zone=public --add-source=10.10.1.25
firewall-cmd --zone=public --add-source=10.10.1.26
firewall-cmd --zone=public --remove-interface=enp2s1
firewall-cmd --runtime-to-permanent

And note that you probably do not want to do this in the public zone, but create a new zone. That zone has several things set up to be allowed by default (such as DHCP) which could cause you problems if you remove the interface and restrict the zone by source IP address.

Related

Execute program on remote computer using PowerShell
Phpmyadmin location for nginx
php-fpm status page: what are the "queue" items in this report?
Ec2: Setup mail to send emails
How to properly shutdown ESXi cluster after power outage?
How to change a VM from split across multiple .vmdk files to a single one or two?
How to tweak Gnome user elevation in RHEL/CentOS
GNU screen loses (parts of) command histories
KVM booting off-image kernel and existing partition
Block all incoming DNS requests EXCEPT from IPs x,y,
How does an administrator generalize alerting when an event doesn't happen?
Does a PTR record prove anything about the sender's email domain?