I am trying to use FirewallD to restrict access to a CentOS server from other machines on the network. It has a single network interface and it is operating in the public zone. Lets say that the ip address of this server 10.10.1.20.
What I want to do is to allow only machines with IP addresses 10.10.1.125 and 10.10.1.126 to be able to connect (ssh and https) to this server. None of the other ip addresses should be able to connect to this server (or even know that it exists).
I tried using FirewallD’s rich rules as follows (on 10.10.1.20)
sudo firewall-cmd --add-rich-rule 'rule family="ipv4" source address="10.10.1.0/24" drop' sudo firewall-cmd --add-rich-rule 'rule family="ipv4" source address="10.10.1.125" accept' sudo firewall-cmd --add-rich-rule 'rule family="ipv4" source address="10.10.1.126" accept'
But it doesn’t seem to work. I cannot make ssh connections to 10.10.1.20 from 10.10.1.125 or 10.10.1.126.
I tried entering the rules in the reverse order, but it still does not work.
Can someone help me out here? Do I need to change the zone from public to a more restrictive one like drop before the rules I wrote above can be applied?
Rich rules aren’t the way to go about this. They’ll just create confusion, now and later.
Understand that a firewalld zone corresponds to a set of services that you may wish to allow, and the sources of the traffic to those services.
All you have to do is to set the services you want to allow in the zone (which you probably already have done) and then set the sources.
Traffic sources can be designated in two ways: By interface, or by source IP address. Traffic that matches any source passes this check.
So, what you want to do is to add the IP addresses allowed to reach the services, and then remove the interface (if any).
firewall-cmd --zone=public --add-source=10.10.1.25 firewall-cmd --zone=public --add-source=10.10.1.26 firewall-cmd --zone=public --remove-interface=enp2s1 firewall-cmd --runtime-to-permanent
And note that you probably do not want to do this in the
public zone, but create a new zone. That zone has several things set up to be allowed by default (such as DHCP) which could cause you problems if you remove the interface and restrict the zone by source IP address.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.