Firewalld: How to whitelist just two IP-addresses, not on the same subnet

centos firewall firewalld whitelist

8,900

There is good answer on another site.

So I tried to do this on test VM with such commands:

firewall-cmd --zone=public --change-interface=eth0 --permanent
firewall-cmd --zone=public --add-source=192.168.1.2/32 --permanent
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.2/32" invert="True" drop' --permanent

And this work, test VM doesn't reacheble from any IP except only one.

Output for firewall-cmd --zone=public --list-all is:

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 192.168.1.2/32
  services: ssh dhcpv6-client
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
    rule family="ipv4" source NOT address="192.168.1.2/32" drop

8,900

NYCeyes

RESUME/CV: https://jupyter.ai Work Areas: Both director and hands-on implement data processing, data analytics and backend services in Python-3, Spark 2.0, Kafka, NoSQL genres, Microservices, and related glue technologies. AMAZON WEB SERVICES (AWS) • LINUX / LXC CONTAINERS • DOCKER • PYTHON 3 • UNIX BASH & CLI AWS-based HYBRID DATACENTER ARCHITECTURES • AWS-based DATACENTER MIGRATIONS AWS-based BUSINESS CONTINUITY & DISASTER RECOVERY (BC/DR) • CLOUDERA CDH and HADOOP ECOSYSTEM AWS-based REALTIME STREAM COMPLEX EVENT PROCESSORS (C.E.P.) • E.T.L. • NoSQL DATABASES LONG DISTANCE MULTI-SITE FIBRE-CHANNEL SAN ARCHITECTURES FOR BC/DR AWS TOOLS (abbrev): SQS | ECS | SNS | DYNAMODB | ELASTICACHE | EC2 | VPC | KINESIS | DIRECT CONNECT | (Etc). OPEN SOURCE TOOLS (abbrev): MONGODB | C* | REDIS | STORM | KAFKA | SPARK | SCIKIT-LEARN | TENSORFLOW | (Etc).

Updated on September 18, 2022

Comments

NYCeyes almost 2 years

I'm running firwalld on a VPS / webserver.

The public zone is active and default (and I do not want the change that). How do I allow only these two external IP-addresses to access the VPS (i.e. all of the services I have defined in the public zone):

   IP1:  11.22.33.44/24
   IP2:  55.66.77.88/24

These are fake IP addresses and notice that they are intentionally not on the same subnet.

I think I understand why the following doesn't work (it locks out one or the other IP).

user$ sudo firewall-cmd --zone=public --permanent --add-source=11.22.33.44/24
user$ sudo firewall-cmd --zone=public --permanent --add-source=55.66.77.88/24

user$ sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="11.22.33.44/24" invert="True" drop' 
user$ sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="55.66.77.88/24" invert="True" drop'
user$ sudo firewall-cmd --reload

What do I need to modify for this to work (so it doesn't lock out one IP or the other or both)?

Thank you! =:)

EDIT: Per the first commenter below, I also tried a /32 bit mask for all four commands above. Sadly it did not help. Still looking for a solution.

I think the logic might sound something like: if IP1 or IP2, allow it and stop processing the chain. else Continue processing the chain, where the very next rule would be to DROP.. Something like that.

EDIT2: Posting the output of sudo firewall-cmd --list-all-zones below. Note that I removed all the rules mentioned above since they weren't working. So the below is back to square one.

user$ sudo firewall-cmd --list-all-zones
block
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


dmz
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


drop
  target: DROP
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


external
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


home
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


internal
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


public (active)
  target: default
  icmp-block-inversion: no
  interfaces: venet0:0 venet0
  sources: 
  services: ssh-vps http https
  ports: 8080/tcp 8080/udp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: echo-reply echo-request timestamp-reply timestamp-request
  rich rules: 

trusted
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


work
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

Alexander Tolkachev over 6 years

Do you know about mask /32? It's allow you to allow only one IP, instead of subnet /24 which have 254 IPs.
NYCeyes over 6 years

Good suggestion. I did know but didn't try it. I tried it after you suggested it but, sadly, did not help. (._.). I think it's a simple rules ordering issue. Either way, I'll use /32 going forward (unless there's reason not to in the solution). :) Thank you.