Firewalld: How to whitelist just two IP-addresses, not on the same subnet
There is good answer on another site.
So I tried to do this on test VM with such commands:
firewall-cmd --zone=public --change-interface=eth0 --permanent
firewall-cmd --zone=public --add-source=192.168.1.2/32 --permanent
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.2/32" invert="True" drop' --permanent
And this work, test VM doesn't reacheble from any IP except only one.
Output for firewall-cmd --zone=public --list-all
is:
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources: 192.168.1.2/32
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source NOT address="192.168.1.2/32" drop
Related videos on Youtube
![NYCeyes](https://i.stack.imgur.com/90dEi.png?s=256&g=1)
NYCeyes
RESUME/CV: https://jupyter.ai Work Areas: Both director and hands-on implement data processing, data analytics and backend services in Python-3, Spark 2.0, Kafka, NoSQL genres, Microservices, and related glue technologies. AMAZON WEB SERVICES (AWS) • LINUX / LXC CONTAINERS • DOCKER • PYTHON 3 • UNIX BASH & CLI AWS-based HYBRID DATACENTER ARCHITECTURES • AWS-based DATACENTER MIGRATIONS AWS-based BUSINESS CONTINUITY & DISASTER RECOVERY (BC/DR) • CLOUDERA CDH and HADOOP ECOSYSTEM AWS-based REALTIME STREAM COMPLEX EVENT PROCESSORS (C.E.P.) • E.T.L. • NoSQL DATABASES LONG DISTANCE MULTI-SITE FIBRE-CHANNEL SAN ARCHITECTURES FOR BC/DR AWS TOOLS (abbrev): SQS | ECS | SNS | DYNAMODB | ELASTICACHE | EC2 | VPC | KINESIS | DIRECT CONNECT | (Etc). OPEN SOURCE TOOLS (abbrev): MONGODB | C* | REDIS | STORM | KAFKA | SPARK | SCIKIT-LEARN | TENSORFLOW | (Etc).
Updated on September 18, 2022Comments
-
NYCeyes almost 2 years
I'm running firwalld on a VPS / webserver.
The
public
zone isactive
anddefault
(and I do not want the change that). How do I allow only these two external IP-addresses to access the VPS (i.e. all of the services I have defined in thepublic
zone):IP1: 11.22.33.44/24 IP2: 55.66.77.88/24
These are fake IP addresses and notice that they are intentionally not on the same subnet.
I think I understand why the following doesn't work (it locks out one or the other IP).
user$ sudo firewall-cmd --zone=public --permanent --add-source=11.22.33.44/24 user$ sudo firewall-cmd --zone=public --permanent --add-source=55.66.77.88/24 user$ sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="11.22.33.44/24" invert="True" drop' user$ sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="55.66.77.88/24" invert="True" drop' user$ sudo firewall-cmd --reload
What do I need to modify for this to work (so it doesn't lock out one IP or the other or both)?
Thank you! =:)
EDIT: Per the first commenter below, I also tried a
/32
bit mask for all four commands above. Sadly it did not help. Still looking for a solution.I think the logic might sound something like:
if IP1 or IP2, allow it and stop processing the chain.
elseContinue processing the chain, where the very next rule would be to DROP.
. Something like that.EDIT2: Posting the output of
sudo firewall-cmd --list-all-zones
below. Note that I removed all the rules mentioned above since they weren't working. So the below is back to square one.user$ sudo firewall-cmd --list-all-zones block target: %%REJECT%% icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: dmz target: default icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: drop target: DROP icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: external target: default icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: yes forward-ports: source-ports: icmp-blocks: rich rules: home target: default icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: internal target: default icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: public (active) target: default icmp-block-inversion: no interfaces: venet0:0 venet0 sources: services: ssh-vps http https ports: 8080/tcp 8080/udp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: echo-reply echo-request timestamp-reply timestamp-request rich rules: trusted target: ACCEPT icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: work target: default icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
-
Alexander Tolkachev over 6 yearsDo you know about mask /32? It's allow you to allow only one IP, instead of subnet /24 which have 254 IPs.
-
NYCeyes over 6 yearsGood suggestion. I did know but didn't try it. I tried it after you suggested it but, sadly, did not help. (._.). I think it's a simple rules ordering issue. Either way, I'll use /32 going forward (unless there's reason not to in the solution). :) Thank you.
-