Iptables rule to Firewalld rules
Iptables rule to Firewalld rules
Dear All,
I am using a ftp server where 30 ips can access from all around the world. I have allowed those ips with iptables ex :-"-A INPUT -s x.x.x.x/32 -p tcp -m tcp --dport 21 -j ACCEPT"
Now i want to migrate that server with CentOS7 with firewalld what would be the command or line to achieve that .
Please note that i am very new to this firewalld.
Ehsan
I am using a ftp server where 30 ips can access from all around the world. I have allowed those ips with iptables ex :-"-A INPUT -s x.x.x.x/32 -p tcp -m tcp --dport 21 -j ACCEPT"
Now i want to migrate that server with CentOS7 with firewalld what would be the command or line to achieve that .
Please note that i am very new to this firewalld.
Ehsan
Re: Iptables rule to Firewalld rules
See https://access.redhat.com/documentation ... walls.html
or just use man firewall-cmd
or just use man firewall-cmd
Re: Iptables rule to Firewalld rules
Dear Aks,
I have been through the url but could not understand the things properly. Could u please tell me the command for that . If you please.I am not good in english.
Ehsan
I have been through the url but could not understand the things properly. Could u please tell me the command for that . If you please.I am not good in english.
Ehsan
Re: Iptables rule to Firewalld rules
Hide any private IPs, but share the output of . It'll be easier to write something to convert this for you if you share the iptables rules.
Code: Select all
iptables-save
-- Jeremy --
Re: Iptables rule to Firewalld rules
-A INPUT -s 172.29.10.69/32 -p tcp -m tcp --dport 21 -j ACCEPTjyoung wrote:Hide any private IPs, but share the output of. It'll be easier to write something to convert this for you if you share the iptables rules.Code: Select all
iptables-save
-A INPUT -s 172.29.10.58/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s 172.28.60.42/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s 172.28.60.45/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s 172.29.10.69/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s 172.29.10.58/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s 172.28.60.42/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s 172.28.60.45/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s xx.xx.xx.xx/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s xx.xx.xx.xx/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s xx.xx.xx.xx/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s xx.xx.xx.xx/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s xx.xx.xx.xx/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s xx.xx.xx.xx/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s xx.xx.xx.xx/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s xx.xx.xx.xx/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j LOG --log-prefix "FTP_denied"
-A INPUT -p tcp -m tcp --dport 21 -j DROP
-A OUTPUT -p tcp -m tcp --dport 21 -j DROP
My FTP Server's iptables
One more things i can understand "rich rule" what i want to know that is their any other option except rich rule ??
BR
Ehsan
Re: Iptables rule to Firewalld rules
firewall-cmd --permanent --add-port=21/tcp
or
firewall-cmd --permanent --add-service=ftp
To allow all addresses.
But to do the source addresses you need rich language, so you would do something like:
<rule family="ipv4">
<source address="172.29.10.69/32"/>
<service name="ftp"/>
<log prefix="ftp" level="info">
<limit value="1/m"/>
</log>
<accept/>
</rule>
See https://fedoraproject.org/wiki/Features ... chLanguage
or
firewall-cmd --permanent --add-service=ftp
To allow all addresses.
But to do the source addresses you need rich language, so you would do something like:
<rule family="ipv4">
<source address="172.29.10.69/32"/>
<service name="ftp"/>
<log prefix="ftp" level="info">
<limit value="1/m"/>
</log>
<accept/>
</rule>
See https://fedoraproject.org/wiki/Features ... chLanguage
Re: Iptables rule to Firewalld rules
Rich rules aren't necessarily required for this. You could make use of zones, allowing FTP for only a specific zone. Adding source IPs to the zone will help you specify the allowed services or ports. If rich rules add the logging functionality that you're looking for, then you can add the logging rule to the zone as well. This may not scale well depending on your setup, but it's another option.amiehsan wrote:-A INPUT -s 172.29.10.69/32 -p tcp -m tcp --dport 21 -j ACCEPTjyoung wrote:Hide any private IPs, but share the output of. It'll be easier to write something to convert this for you if you share the iptables rules.Code: Select all
iptables-save
-A INPUT -s 172.29.10.58/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s 172.28.60.42/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s 172.28.60.45/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s 172.29.10.69/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s 172.29.10.58/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s 172.28.60.42/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s 172.28.60.45/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s xx.xx.xx.xx/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s xx.xx.xx.xx/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s xx.xx.xx.xx/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s xx.xx.xx.xx/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s xx.xx.xx.xx/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s xx.xx.xx.xx/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s xx.xx.xx.xx/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s xx.xx.xx.xx/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j LOG --log-prefix "FTP_denied"
-A INPUT -p tcp -m tcp --dport 21 -j DROP
-A OUTPUT -p tcp -m tcp --dport 21 -j DROP
My FTP Server's iptables
One more things i can understand "rich rule" what i want to know that is their any other option except rich rule ??
BR
Ehsan
I make my default zone drop, and use zones for "management" access and for "data" access. The "management" zone would allow inbound SSH, SNMP, and any additional services related to the "management" of the server. "Data", then, would be specific to the application(s) that I'm running on my server. So, for example:
Code: Select all
sudo bash
vim /tmp/iptables-rules ## Put your iptables-save output here
cp /usr/lib/firewalld/zones/public.xml /etc/firewalld/zones/data.xml
sed -i "/service/d;/port/d" /etc/firewalld/zones/data.xml
firewall-cmd --reload
firewall-cmd --zone=data --permanent --add-service=ftp
gawk '{print $4}' /tmp/iptables-rules| grep ^[0-9] | while read IPADDR; do firewall-cmd --zone=data --permanent --add-source=${IPADDR}; done
firewall-cmd --zone=internal --permanent --add-source="YOUR IP ADDRESS HERE/CIDR" ## You can modify the internal zone as you need to to add or remove services.
firewall-cmd --set-default=drop
firewall-cmd --reload
Code: Select all
firewall-cmd --get-default-zone
firewall-cmd --get-active-zones
firewall-cmd --zone=SOME NAME HERE --list-all
for ZONE in $( firewall-cmd --get-active-zones | grep ^[A-Za-z0-9] ); do firewall-cmd --zone=$ZONE --list-all; done
-- Jeremy --
Re: Iptables rule to Firewalld rules
Thank you very much.. aks & Jeremy