Iptables rule to Firewalld rules

[amiehsan]

Dear All,
I am using a ftp server where 30 ips can access from all around the world. I have allowed those ips with iptables ex :-"-A INPUT -s x.x.x.x/32 -p tcp -m tcp --dport 21 -j ACCEPT"
Now i want to migrate that server with CentOS7 with firewalld what would be the command or line to achieve that .

Please note that i am very new to this firewalld.

Ehsan

[aks]

See https://access.redhat.com/documentation ... walls.html
or just use man firewall-cmd

[amiehsan]

Dear Aks,

I have been through the url but could not understand the things properly. Could u please tell me the command for that . If you please.I am not good in english.
Ehsan

[jyoung]

Hide any private IPs, but share the output of

Code: Select all

iptables-save

. It'll be easier to write something to convert this for you if you share the iptables rules.

[amiehsan]

Hide any private IPs, but share the output of

Code: Select all

iptables-save

. It'll be easier to write something to convert this for you if you share the iptables rules.

-A INPUT -s 172.29.10.69/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s 172.29.10.58/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s 172.28.60.42/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s 172.28.60.45/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s 172.29.10.69/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s 172.29.10.58/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s 172.28.60.42/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s 172.28.60.45/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s xx.xx.xx.xx/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s xx.xx.xx.xx/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s xx.xx.xx.xx/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s xx.xx.xx.xx/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s xx.xx.xx.xx/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s xx.xx.xx.xx/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s xx.xx.xx.xx/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s xx.xx.xx.xx/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j LOG --log-prefix "FTP_denied"
-A INPUT -p tcp -m tcp --dport 21 -j DROP
-A OUTPUT -p tcp -m tcp --dport 21 -j DROP

My FTP Server's iptables

One more things i can understand "rich rule" what i want to know that is their any other option except rich rule ??

BR
Ehsan

[aks]

firewall-cmd --permanent --add-port=21/tcp
or
firewall-cmd --permanent --add-service=ftp
To allow all addresses.

But to do the source addresses you need rich language, so you would do something like:
<rule family="ipv4">
<source address="172.29.10.69/32"/>
<service name="ftp"/>
<log prefix="ftp" level="info">
<limit value="1/m"/>
</log>
<accept/>
</rule>
See https://fedoraproject.org/wiki/Features ... chLanguage

[jyoung]

Hide any private IPs, but share the output of

Code: Select all

iptables-save

. It'll be easier to write something to convert this for you if you share the iptables rules.

-A INPUT -s 172.29.10.69/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s 172.29.10.58/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s 172.28.60.42/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s 172.28.60.45/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s 172.29.10.69/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s 172.29.10.58/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s 172.28.60.42/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s 172.28.60.45/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s xx.xx.xx.xx/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s xx.xx.xx.xx/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s xx.xx.xx.xx/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s xx.xx.xx.xx/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s xx.xx.xx.xx/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s xx.xx.xx.xx/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s xx.xx.xx.xx/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s xx.xx.xx.xx/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j LOG --log-prefix "FTP_denied"
-A INPUT -p tcp -m tcp --dport 21 -j DROP
-A OUTPUT -p tcp -m tcp --dport 21 -j DROP

My FTP Server's iptables

One more things i can understand "rich rule" what i want to know that is their any other option except rich rule ??

BR
Ehsan

Rich rules aren't necessarily required for this. You could make use of zones, allowing FTP for only a specific zone. Adding source IPs to the zone will help you specify the allowed services or ports. If rich rules add the logging functionality that you're looking for, then you can add the logging rule to the zone as well. This may not scale well depending on your setup, but it's another option.

I make my default zone drop, and use zones for "management" access and for "data" access. The "management" zone would allow inbound SSH, SNMP, and any additional services related to the "management" of the server. "Data", then, would be specific to the application(s) that I'm running on my server. So, for example:

Code: Select all

sudo bash
vim /tmp/iptables-rules ## Put your iptables-save output here
cp /usr/lib/firewalld/zones/public.xml /etc/firewalld/zones/data.xml
sed -i "/service/d;/port/d" /etc/firewalld/zones/data.xml
firewall-cmd --reload
firewall-cmd --zone=data --permanent --add-service=ftp
gawk '{print $4}' /tmp/iptables-rules| grep ^[0-9] | while read IPADDR; do firewall-cmd --zone=data --permanent --add-source=${IPADDR}; done
firewall-cmd --zone=internal --permanent --add-source="YOUR IP ADDRESS HERE/CIDR"  ## You can modify the internal zone as you need to to add or remove services.
firewall-cmd --set-default=drop
firewall-cmd --reload

Now, you can see your active firewall configuration with commands like this:

Code: Select all

firewall-cmd --get-default-zone
firewall-cmd --get-active-zones
firewall-cmd --zone=SOME NAME HERE --list-all
for ZONE in $( firewall-cmd --get-active-zones | grep ^[A-Za-z0-9] ); do firewall-cmd --zone=$ZONE --list-all; done

[amiehsan]

Thank you very much.. aks & Jeremy