1

I'm running firwalld on a VPS / webserver.

The public zone is active and default (and I do not want the change that). How do I allow only these two external IP-addresses to access the VPS (i.e. all of the services I have defined in the public zone):

   IP1:  11.22.33.44/24
   IP2:  55.66.77.88/24

These are fake IP addresses and notice that they are intentionally not on the same subnet.

I think I understand why the following doesn't work (it locks out one or the other IP).

user$ sudo firewall-cmd --zone=public --permanent --add-source=11.22.33.44/24
user$ sudo firewall-cmd --zone=public --permanent --add-source=55.66.77.88/24

user$ sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="11.22.33.44/24" invert="True" drop' 
user$ sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="55.66.77.88/24" invert="True" drop'
user$ sudo firewall-cmd --reload

What do I need to modify for this to work (so it doesn't lock out one IP or the other or both)?

Thank you! =:)

EDIT: Per the first commenter below, I also tried a /32 bit mask for all four commands above. Sadly it did not help. Still looking for a solution.

I think the logic might sound something like: if IP1 or IP2, allow it and stop processing the chain. else Continue processing the chain, where the very next rule would be to DROP.. Something like that.

EDIT2: Posting the output of sudo firewall-cmd --list-all-zones below. Note that I removed all the rules mentioned above since they weren't working. So the below is back to square one.

user$ sudo firewall-cmd --list-all-zones
block
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


dmz
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


drop
  target: DROP
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


external
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


home
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


internal
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


public (active)
  target: default
  icmp-block-inversion: no
  interfaces: venet0:0 venet0
  sources: 
  services: ssh-vps http https
  ports: 8080/tcp 8080/udp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: echo-reply echo-request timestamp-reply timestamp-request
  rich rules: 

trusted
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


work
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:
NYCeyes
  • 111
  • 1
  • 5
  • 4
    Do you know about mask /32? It's allow you to allow only one IP, instead of subnet /24 which have 254 IPs. – Alexander Tolkachev Oct 08 '17 at 19:30
  • Good suggestion. I did know but didn't try it. I tried it after you suggested it but, sadly, did not help. (._.). I think it's a simple rules ordering issue. Either way, I'll use /32 going forward (unless there's reason not to in the solution). :) Thank you. – NYCeyes Oct 08 '17 at 20:34

2 Answers2

2

There is good answer on another site.

So I tried to do this on test VM with such commands:

firewall-cmd --zone=public --change-interface=eth0 --permanent
firewall-cmd --zone=public --add-source=192.168.1.2/32 --permanent
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.2/32" invert="True" drop' --permanent

And this work, test VM doesn't reacheble from any IP except only one.

Output for firewall-cmd --zone=public --list-all is:

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 192.168.1.2/32
  services: ssh dhcpv6-client
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
    rule family="ipv4" source NOT address="192.168.1.2/32" drop
Alexander Tolkachev
  • 4,513
  • 3
  • 14
  • 23
0

I don't think Tolkachev's answer solved the OP's problem. The OP needs to whitelist two different addresses.

We can use ipset to combine several addresses together.

firewall-cmd --permanent --new-ipset=myipset --type=hash:ip
firewall-cmd --permanent --ipset=myipset --add-entry=192.168.31.54
firewall-cmd --permanent --ipset=myipset --add-entry=192.168.31.56
firewall-cmd --permanent --zone=trusted --add-rich-rule='rule family=ipv4 source ipset="myipset" invert="true" protocol=tcp  reject’
firewall-cmd --reload
xiangz
  • 1