Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Categories

In this Discussion

Firewalld on Centos
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Firewalld on Centos

timelapsetimelapse Member
in Help

Hello everyone!

Can someone pls assist me on limiting access to ssh port to certain IPs using firewalld?

Am I correct to remove the port first

--remove-port=NNNN/tcp

Then I add-rich-rule for said port and for each IP I want to Accept? Can I add a rule for all IPs in one go or I have to do it for each IP?

Thank you!

Comments

  • skorousskorous Member

    "Better" way might be to create a new zone ( --new-zone=x) add all your IPs to it (--add-source=y --zone=x ), and add the service to it ( --add-service=ssh --zone=x ). Once you have it working firewall-cmd --runtime-to-permanent .

    I'm no expert but that's what I'd try.

    Thanked by 1timelapse
  • timelapsetimelapse Member

    Hello and thanks for your reply @skorous!

    I removed the ssh port and just added rich rule for said port for each IP. Seems to have worked...hopefully.

    When I try to connect to ssh port, it just says timed out.

    I was going to try adding new zone but I only have 1 interface and I read you can only assign 1 interface per zone. You can seem to have many active zones. But ive only seen public assigned to the my only interface. Im still confused.

  • timelapsetimelapse Member

    Can you actually have public and x assigned to the same interface?

  • ITLabsITLabs Member
    edited August 2019

    If you have to whitelist a large number of IPs, perhaps it would be better to use ipsets.

    First create a file containing the list of IP addresses, e.g., myips.txt:

    1.2.3.4
    1.2.3.5
    1.2.3.6
    ...

    Then create the ipset and assign the file:

    firewall-cmd --permanent --new-ipset=ssh-whitelist --type=hash:ip

    firewall-cmd --permanent --ipset=ssh-whitelist --add-entries-from-file=myips.txt

    firewall-cmd --reload

    Check if the rule is ok with firewall-cmd --ipset=ssh-whitelist --get-entries

    Now assign the rule to the ssh service:

    firewall-cmd --permanent --zone=public --add-rich-rule='rule source ipset="ssh-whitelist" service name="ssh" accept'

    firewall-cmd --reload

    I'm typing this on my phone so double check for typos...

    Thanked by 3timelapse skorous TimboJones
  • skorousskorous Member

    timelapse said: I was going to try adding new zone but I only have 1 interface and I read you can only assign 1 interface per zone. You can seem to have many active zones. But ive only seen public assigned to the my only interface. Im still confused.

    You're thinking about zones wrong. An active zone has some sort of source. Than can be an interface but doesn't need to be. You can list an IP, a subnet, or like @ITLabs said an ipset. You can have a half dozen different zones with different sources and services all active.

    Thanked by 2ITLabs timelapse
  • ITLabsITLabs Member
    edited August 2019

    @timelapse I can't find a good ip sets tutorial now, but you can get a broader idea here:

    https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-setting_and_controlling_ip_sets_using_firewalld

    Edit: for a small number of IPs you can go with:

    firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="1.2.3.4" port protocol="tcp" port="NNN" accept'

    Thanked by 1timelapse
Sign In or Register to comment.