Here is my situation that I just cannot seem to figure out and I'm hoping someone can shed some light on this for me.
I have 2 NICs on one server:
eno1 - External IP 1.2.3.4
eno2 - Internal IP, which is only used between servers 192.168.1.x
I want to allow everything on the internal IP, no big deal. I added interface eno1 to the internal zone and added source 192.168.1.0/24
Now for eno1, I want to deny all subnets within a range, but then allow specific subnets that are within that range. In the past with IPTables, I would just add the following lines to iptables and it would work fine. I just cannot figure out how to do it with firewalld and all the zones.
# Allow IT and VPN subnets
-A INPUT -s 1.2.25.0/24 -j ACCEPT
-A INPUT -s 1.2.26.0/24 -j ACCEPT
-A INPUT -s 1.2.27.0/24 -j ACCEPT
# Block unwanted IP addresses
-A INPUT -m iprange --src-range 1.2.0.0-1.2.3.255.255 -j DROP
Thanks for any help you can provide or least point me in the right direction.
Joe
Firewalld and network interfaces
-
- Posts: 2019
- Joined: 2015/02/17 15:14:33
- Location: Bulgaria
- Contact:
Re: Firewalld and network interfaces
Maybe you can try with firewlld rich rules. 3 for allowing and 1 for the drop.
If firewalld rich rules can't do it - you can use direct rules as last resort, but keep in mind that direct rules are processed before anything else.
If firewalld rich rules can't do it - you can use direct rules as last resort, but keep in mind that direct rules are processed before anything else.
Re: Firewalld and network interfaces
You have some typo on that range.
You can almost use rich rules:
The problem is, that deny rules are before the accept rules.
Is it necessary to drop? The default is to reject, (except icmp):
The firewall-cmd can definet ipsets.
Overall, why open all ports? Why not limit access to just the necessary services, like ssh and vpn?
Code: Select all
# ipcalc -n -b 1.2.0.0/22
BROADCAST=1.2.3.255
NETWORK=1.2.0.0
# ipcalc -n -b 1.2.0.0/16
BROADCAST=1.2.255.255
NETWORK=1.2.0.0
Code: Select all
firewall-cmd --permanent --zone=external --add-rich-rule='rule family="ipv4" source address="1.2.1.0/24" accept'
firewall-cmd --permanent --zone=external --add-rich-rule='rule family="ipv4" source address="1.2.0.0/22" drop'
Code: Select all
# iptables -S IN_external
-N IN_external
-A IN_external -j IN_external_log
-A IN_external -j IN_external_deny
-A IN_external -j IN_external_allow
-A IN_external -p icmp -j ACCEPT
Code: Select all
-A INPUT -j REJECT --reject-with icmp-host-prohibited
Code: Select all
man firewalld.richlanguage
The ipset can define range(s).source [not] address="address[/mask]"|mac="mac-address"|ipset="ipset"
The firewall-cmd can definet ipsets.
Overall, why open all ports? Why not limit access to just the necessary services, like ssh and vpn?