I am trying to use Firewalld to restrict access to/from a Linux server
Environment
- the Linux server has a single network interface:
ens160
Requirements
- It shall allow only machines with IP addresses
192.168.3.0/24to reach this Linux server using SSH and ICMP - None of the other IP addresses or services should be able to reach this Linux server
Configurations made
sudo firewall-cmd --set-default-zone=internal
sudo firewall-cmd --zone=internal --add-interface=ens160 –permanent
sudo firewall-cmd --permanent --zone=internal --add-rich-rule='rule family="ipv4" \
source address="192.168.3.0/24" service name="ssh" accept'
sudo firewall-cmd --zone=internal --add-icmp-block={echo-request,echo-reply} \
--permanent
sudo firewall-cmd --permanent --zone=internal --add-rich-rule='rule family="ipv4" \
source address="192.168.3.0/24" icmp-type name="echo-request" accept'
sudo firewall-cmd --permanent --zone=internal --add-rich-rule='rule family="ipv4" \
source address="192.168.3.0/24" icmp-type name="echo-reply" accept'
Configurations status
user@server:~$ sudo firewall-cmd --list-all
internal (active)
target: default
icmp-block-inversion: no
interfaces: ens160
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks: echo-reply echo-request
rich rules:
rule family="ipv4" source address="192.168.3.0/24" service name="ssh" accept
rule family="ipv4" source address="192.168.3.0/24" icmp-type name="echo-request" accept
rule family="ipv4" source address="192.168.3.0/24" icmp-type name="echo-reply" accept
Verification results
It works on SSH:
- IP addresses other than
192.168.3.0/24cannot use SSH to connect to the Linux server.
It does not seem to work on ICMP:
- IP addresses 192.168.3.0/24 cannot ping the Linux server
I know the problem could probably lie with "icmp-blocks: echo-reply echo-request" which blocks all ICMP traffic, and the two icmp rich rules. I googled a lot and just couldn't find the right solution.
Can someone help me out here? Much appreciated.
