Join Log in
Score:0
sfanjoy avatar Server

CentOS firewall-cmd script to only allow access from IPs listed in sources

id flag
sfanjoy

I use this script to set up my firewall. I expected to have ssh access from only one IP but that is not the case after testing. What is missing?

#!/bin/bash
#
# Reset to initial install of firewalld
#
rm -f /etc/firewalld/zones/*
firewall-cmd --complete-reload
firewall-cmd --runtime-to-permanent
firewall-cmd --reload
#
# Create / Setup custom zone
#
firewall-cmd --new-zone calzone --permanent
firewall-cmd --reload
firewall-cmd --zone=calzone --add-service={ssh,dhcpv6-client}
firewall-cmd --zone=calzone --add-source=10.0.0.177
firewall-cmd --change-interface enp1s0 --zone calzone --permanent
firewall-cmd --runtime-to-permanent
firewall-cmd --reload

When I run: firewall-cmd --get-active-zones I get the following

calzone
  interfaces: enp1s0
  sources: 10.0.0.177

It was my understanding that setting the interface would direct all traffic from that interface to that zone first and since there are entries in the sources the traffic would be limited to those IPs. Thanx in advance.

In response to Nasir's comment this command firewall-cmd --list-all-zones | sed -n '/calzone/,/rich/p' produces:

calzone (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp1s0
  sources: 10.0.0.177
  services: dhcpv6-client ssh
  ports:
  protocols:
  forward: no
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

I also restarted the deamon firewalld and could ssh from 10.0.0.188 I expected access only from 10.0.0.177

53
0 + 0
cn flag
Nasir Riley
That is the correct output. Are you expecting it to list the ports, services, etc? That isn't what occurs. If you want to everything in the active zone, then use the following command: `firewall-cmd --list-all-zones | sed -n '/calzone/,/rich/p'`
0
Reply
Score:0
sfanjoy avatar Server
id flag
sfanjoy

After many hours of reading the RedHat firewalld documentation and being persistent writing a script I managed to get the behavior I wanted. However, I'm not 100% confident because I'm still unclear on why setting the interface did not work. However this script seems to work. I used the existing work zone which seems to become active when I added a source to it.

#!/bin/bash
#
# Reset to initial install of firewalld
#
rm -f /etc/firewalld/zones/*
firewall-cmd --complete-reload
firewall-cmd --runtime-to-permanent
firewall-cmd --reload
systemctl restart firewalld
systemctl status firewalld
#
# Remove the services from all zones
#  
# iterate through the default zones
for zone in drop block public external dmz work home internal trusted
do
# iterate through default services
    for srv in $(firewall-cmd --list-services --zone=$zone)
    do
      echo "Removing service $srv from $zone"
      firewall-cmd --zone=$zone --remove-service=$srv
      firewall-cmd --zone=$zone --remove-service=$srv --permanent
    done
done
#
# Drop all public traffic?
# Allow work zone to see ssh from host
#
firewall-cmd --zone=public --set-target=DROP --permanent
firewall-cmd --zone=work --add-source=10.0.0.177 --permanent
firewall-cmd --zone=work --add-service=ssh --permanent
firewall-cmd --runtime-to-permanent
firewall-cmd --reload
systemctl restart firewalld
systemctl status firewalld
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.