(Solution found, see below...)
The server (CentOS 7) has multiple public IPs, these are set up via the usual ifcfg-eth0:0
config files and are working fine. I'm trying to adapt to firewalld (coming from iptables). I like to be able to specify open ports per IP alias - with iptables this was done simply by setting the destination IP to match whatever alias needed the port.
I thought with firewalld I could apply a different zone to each interface to achieve the same effect, however it seems I cannot do so.
We start with:
# firewall-cmd --get-active-zones
public
interfaces: eth0 eth0:0
trusted
interfaces: eth1
I created a new zone public_web
that I wanted to use for eth0:0
# firewall-cmd --permanent --new-zone=public_web
success
# firewall-cmd --permanent --zone=public_web --add-service=http
success
# firewall-cmd --permanent --zone=public_web --add-interface=eth0:0
success
# firewall-cmd --reload
success
But...
# firewall-cmd --get-active-zones
public
interfaces: eth0 eth0:0
trusted
interfaces: eth1
I tried --remove-interface
, --change-interface
and various other commands in various orders, but eth0:0
won't budge. I can't seem to find any documentation anywhere about using aliases, so I'm not sure if this is even the correct way of achieving what I'd like?
Thanks all.
Solution:
The solution is to use the destination
tag in a service file, it can only be used once per service.
So let's say you want port 443 on 87.98.256.512, make a copy of the https.xml
file (recommend you don't touch originals) to /etc/firewalld/services
, here I'll use https-admin.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>HTTPS for 87.98.256.512</short>
<description>...</description>
<port protocol="tcp" port="443"/>
<destination ipv4="87.98.256.512" />
</service>
Then
# firewall-cmd --permanent --zone=public --add-service=https-admin
success
# firewall-cmd --reload
success
# firewall-cmd --zone=public --list-services
http https-admin
And finally confirm this with iptables
Chain IN_public_allow (1 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 87.98.256.512 tcp dpt:443 ctstate NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate NEW
Remember: only one destination
tag per service, so just make multiple services if that's your requirement.