I am using CentOS Linux release 7.9.2009 in minimal installation and firewalld .
[root@centosmin firewalld]# uname -a
Linux centosmin 3.10.0-1160.6.1.el7.x86_64 #1 SMP Tue Nov 17 13:59:11 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
There are similar question i.e. here but none of the responses there work. I would like to do that without using reach rules.
The target it to allow ssh only from one particular IP address on the internet. In order to simulate this behavior i have setup a lab with 3 machines in different vlans and setup routing between them in my internal network.
The server in this case is the
10.192.210.10/24
and two ssh clients:
10.192.52.50/24
10.192.57.6/24
Now i have created my own internet facing zone and made it default using the commands
//create new zone called internet
firewall-cmd --permanent --new-zone=internet
// add the only ip address that should be able to connect to ssh
firewall-cmd --zone=internet --add-source=10.192.57.6/32
firewall-cmd --zone=internet --add-service=ssh
// here i make sure that i manually add the interface if it is not already add it and then remove it
firewall-cmd --zone=internet –add-interface=ens3
firewall-cmd --zone=internet --remove-interface=ens3
firewall-cmd --zone=internet --set-target=DROP
firewall-cmd --set-default-zone=internet
// save the current runtime to premanent rules
firewall-cmd --runtime-to-permanent
firewall-cmd --reload
after that my only one network interface look like
[root@centosmin firewalld]# firewall-cmd --list-all
internet (active)
target: DROP
icmp-block-inversion: no
interfaces:
sources: 10.192.57.6/32
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
however i am still able to connect to ssh from the 10.192.52.50/32 host. What i am missing here
the iptables -nvL -t filter
command tells me that there a multiple chains that are still accept . Should that not be set to DROP? And if so how to set it to reject all traffic except from the host
10.192.57.6/32
[root@centosmin firewalld]# iptables -nvL -t filter
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
459 34244 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
a direct link from RedHat tells us that in order to do that we need to set the target. But i already did that in the previous step and i am still able to connect from 10.192.52.50/32 which is not the expected behavior.
Addition adding requested output of the command
[root@centosmin firewalld]# firewall-cmd --list-all-zones
block
target: %%REJECT%%
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
dmz
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
drop
target: DROP
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
external
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
home
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
internal
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
internet (active)
target: DROP
icmp-block-inversion: no
interfaces:
sources: 10.192.57.6/32
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
public (active)
target: default
icmp-block-inversion: no
interfaces:
sources: 10.192.57.6
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
trusted
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
work
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules: