FirewallD : Allow connections only from certain IP addresses

Question

I am trying to use FirewallD to restrict access to a CentOS server from other machines on the network. It has a single network interface and it is operating in the public zone. Lets say that the ip address of this server 10.10.1.20.

What I want to do is to allow only machines with IP addresses 10.10.1.125 and 10.10.1.126 to be able to connect (ssh and https) to this server. None of the other ip addresses should be able to connect to this server (or even know that it exists).

I tried using FirewallD's rich rules as follows (on 10.10.1.20)

sudo firewall-cmd --add-rich-rule 'rule family="ipv4" source address="10.10.1.0/24" drop'

sudo firewall-cmd --add-rich-rule 'rule family="ipv4" source address="10.10.1.125" accept'

sudo firewall-cmd --add-rich-rule 'rule family="ipv4" source address="10.10.1.126" accept'

But it doesn't seem to work. I cannot make ssh connections to 10.10.1.20 from 10.10.1.125 or 10.10.1.126.

I tried entering the rules in the reverse order, but it still does not work.

Can someone help me out here? Do I need to change the zone from public to a more restrictive one like drop before the rules I wrote above can be applied?

What is the output of `iptables -nvL` after you have applied the configuration in both orders? — Tero Kilkanen, Aug 20 '16 at 08:55

Michael Hampton · Answer 1 · 2016-08-20T23:35:53.927

11

Rich rules aren't the way to go about this. They'll just create confusion, now and later.

Understand that a firewalld zone corresponds to a set of services that you may wish to allow, and the sources of the traffic to those services.

All you have to do is to set the services you want to allow in the zone (which you probably already have done) and then set the sources.

Traffic sources can be designated in two ways: By interface, or by source IP address. Traffic that matches any source passes this check.

So, what you want to do is to add the IP addresses allowed to reach the services, and then remove the interface (if any).

firewall-cmd --zone=public --add-source=10.10.1.25
firewall-cmd --zone=public --add-source=10.10.1.26
firewall-cmd --zone=public --remove-interface=enp2s1
firewall-cmd --runtime-to-permanent

And note that you probably do not want to do this in the public zone, but create a new zone. That zone has several things set up to be allowed by default (such as DHCP) which could cause you problems if you remove the interface and restrict the zone by source IP address.

edited Aug 20 '16 at 23:35

answered Aug 20 '16 at 20:46

Michael Hampton

237,123
42
477
940

What is the significance of removing the interface from the public zone? Will the rules that are applicable in the public zone, like the --add-source rules you just mentioned, apply on traffic coming on the eth0 interface if I remove the eth0 interface from the public zone? – thisisshantzz Aug 20 '16 at 23:15
@thisisshantzz See the last paragraph. – Michael Hampton Aug 20 '16 at 23:28
Is there a way of restricting a certain type of service to a particular source without rich rules? This will allow all sources to have access to all services, if I understand correctly. Seems rather restrictive, to be honest (this has nothing to do with the correctness of your answer :) ). – Lethargos Dec 02 '21 at 13:41

score -1 · Answer 2 · edited Aug 20 '16 at 19:29

-1

sudo firewall-cmd --add-rich-rule 'rule family="ipv4" service name="ssh" source address="10.10.1.125" accept'
sudo firewall-cmd --add-rich-rule 'rule family="ipv4" service name="https" source address="10.10.1.125" accept'
sudo firewall-cmd --add-rich-rule 'rule family="ipv4" service name="ssh" source address="10.10.1.126" accept'
sudo firewall-cmd --add-rich-rule 'rule family="ipv4" service name="https" source address="10.10.1.126" accept'
firewall-cmd --reload

and restart firewall service.

firewall block all connections by default. So you need to add only these rules.

edited Aug 20 '16 at 19:29

Colt

1,939
6
20
25

answered Aug 20 '16 at 13:10

gloom700

116
7

But does that not require me to change the zone from public to a more restrictive zone like drop or block? I tried doing all of this under the public zone and it does not work but changing the zone to drop does work. – thisisshantzz Aug 20 '16 at 13:16
You should add --permanent while adding firewall rules. So the changes will remain forever. – gloom700 Aug 20 '16 at 16:22
I was thinking of making them permanent only after I get the rules working properly. Are you saying that the reason the rules weren't working was because I was not making them permanent? – thisisshantzz Aug 20 '16 at 23:02
If you run firewall-cmd --reload , changes will be removed. So you need to add --permanent. – gloom700 Aug 21 '16 at 07:42
I think in public zone firewall allows dhcpv6-client and ssh to all . In drop zone it blocks all. You can check default zone behavior by running, the command firewall-cmd --list-all --zone= – gloom700 Aug 21 '16 at 07:43
You should also specify the zone. Don't assume that public is necessarily the default. It's clearer that way. Rich rules seem to allow to permit access to certain services only from particular sources, which I think is better normally. – Lethargos Dec 02 '21 at 13:44

FirewallD : Allow connections only from certain IP addresses

2 Answers2

Related