0

I have a system that connects to outside world, use case is I need to block the external access and only allow particular subnet for this system without adding any external interfaces. Can I do this using firewall-cmd

I need to allow access to a particular subnet Rest all the connectivity to this/from this node should be blocked. Any suggestions are highly appreciated. So before I add edits to this, I read that firewall-cmd can only be used to block external traffic, for my use case I need this to be for the external access from my host and only allow access to a particular host

p:s

  • Block all outgoing traffic including ping/icmp
  • Allow only my traffic to reach a particular subnet (ex: 10.8.180.0/24) which has a proxy to reach the external services

I have read rich rules to do the same but unable to get the results

firewall-cmd --permanent --zone=public --add-rich-rule 'rule family="ipv4" source address="10.10.10.189" port port=5000 protocol=tcp accept'

But I'm not sure how to block other ports , this system should only contact the 10.10.10.189 and nothing else , any helps appreciated.

directedsoul
  • 1
  • 1
  • Hi, welcome to ServerFault! I wanted to give you a heads-up that it is accustomed to say what have you tried in your questions, and give specific details. Example, _I want to only allow access to x.x.x.x subnet to my server, and block all others. I've read the manual for `firewall-cmd` but still don't know how to do this._ Additionally, to get good suggestion, sometimes it'd be useful to know more details, like what Linux distro and which versions of firewall you have. – Zlatko Sep 22 '20 at 11:04
  • yeah sure, I just joined this forum, I will add those details @Zlatko – directedsoul Sep 22 '20 at 20:16

1 Answers1

0

You can allow traffic from a particular subnet by creating a firewalld zone and then adding the subnet and ports you want to allow in.

For example:

firewall-cmd --permanent --new-zone=<name>
firewall-cmd --reload    # to make the zone available in the running config

firewall-cmd --zone=<name> --add-source=<subnet>/<cidr>
firewall-cmd --zone=<name> --add-port=<number>/{tcp|udp}    # and/or
firewall-cmd --zone=<name> --add-service=<name>

Once you're satisfied that it works, you can save it:

firewall-cmd --runtime-to-permanent

Note that firewalld is designed primarily for ingress firewalling, and has little or no functionality for egress firewalling (which most people don't need, and where it is needed is usually handled by an external firewall).

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • Thanks for answering this question @Michael Hampton, I mostly want my system to only access few nodes in lets say 192.168.10.0/24 subnet and not reach any other systems, is `firewall-cmd` a good choice here? – directedsoul Sep 17 '20 at 21:03
  • @directedsoul Not really. If you absolutely want to do egress firewalling, you're probably better off looking for something else, or possibly writing rules manually (but that's a real pain). Most firewall builders don't have functionality to make this easy. But you can certainly firewall it at the router much more easily. – Michael Hampton Sep 17 '20 at 21:05
  • So, if I wanted to ever block communication of my existing node to the outside world this can be best done on switch side(vlan separation) and not from existing node? – directedsoul Sep 17 '20 at 21:11
  • @directedsoul What if someone compromised the system and changed the firewall on the host to allow outgoing traffic again? You will do better to block it upstream if that's what you need. – Michael Hampton Sep 17 '20 at 21:14
  • yeah that makes sense, I was investigating use cases on my RHEL 8 machine and seems i can get this done by `iptables` or `firewall-cmd` rich rules( but its still for blocking incoming traffic) – directedsoul Sep 17 '20 at 22:18