block all but a few ips with firewalld

mike asked:

On a linux networked machine, i would like to restrict the set of addresses on the “public” zone (firewalld concept), that are allowed to reach it. So the end result would be no other machine can access any port or protocol, except those explicitly allowed, sort of a mix of

  --add-rich-rule='rule family="ipv4" source not  address="" drop'

  --add-rich-rule='rule family="ipv4" source not  address="" drop'

The problem above is that this is not a real list, it will block everything since if its one address its blocked by not being the same as the other, generating an accidental “drop all” effect, how would i “unblock” a specific non contiguous set? does source accept a list of addresses? i have not see anything in my look at the docs or google result so far.

I just created this:

# firewall-cmd  --zone=encrypt --list-all
encrypt (active)
  interfaces: eth1
  services: ssh
  ports: 6000/tcp
  masquerade: no
  rich rules: 

But i can still reach port 6000 from .123 my intention was that if a source is not listed, it should not be able to reach any service or port

My answer:

The rich rules aren’t necessary at all.

If you want to restrict a zone to a specific set of IPs, simply define those IPs as sources for the zone itself (and remove any interface definition that may be present, as they override source IPs).

You probably don’t want to do this to the “public” zone, though, since that’s semantically meant for public facing services to be open to the world.

Instead, try using a different zone such as “internal” for mostly trusted IP addresses to access potentially sensitive services such as sshd. (You can also create your own zones.)

Warning: don’t mistake the special “trusted” zone with the normal “internal” zone. Any sources added to the “trusted” zone will be allowed through on all ports; adding services to “trusted” zone is allowed but it doesn’t make any sense to do so.

firewall-cmd --zone=internal --add-service=ssh
firewall-cmd --zone=internal --add-source=
firewall-cmd --zone=internal --add-source=
firewall-cmd --zone=public --remove-service=ssh

The result of this will be a “internal” zone which permits access to ssh, but only from the two given IP addresses. To make it persistent, re-run each command with --permanent appended.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.