I want to switch the server from zone=home to zone=drop w/ the client MAC listed as the sol approved source.
I can get the interface into drop, I can add the MAC as a source. When I attempt to ssh into the server with that configuration, I'm blocked out. If I add SSH as a service, I can get in. But so can all the other clients on the network....
Do I need to write a rich rule? or am I just missing a step?
Thanks for reading.
Firewall-cmd allow a single mac source
Re: Firewall-cmd allow a single mac source
This looks like a duplicate of your other recent posts. Please keep to one topic at a time and keep your posts in one place.
Is the machine you are trying to ssh from in the same network segment as the server you are trying to ssh to? No routers/firewalls in between?
Is the machine you are trying to ssh from in the same network segment as the server you are trying to ssh to? No routers/firewalls in between?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
-
supertight
- Posts: 171
- Joined: 2017/02/07 21:47:51
Re: Firewall-cmd allow a single mac source
My previous post was for my 6.9 servers. This post is for my 7.3 servers. I'm sorry If I should be lumping this into one topic. I made a new topic because I switched from iptables to firewalld. Feel free to close any of the other threads?TrevorH wrote:This looks like a duplicate of your other recent posts. Please keep to one topic at a time and keep your posts in one place.
Is the machine you are trying to ssh from in the same network segment as the server you are trying to ssh to? No routers/firewalls in between?
This time, Both client and server are on the same switch. No router in the mix.
client interface - 192.168.1.15
server interface - 192.168.1.14
-
supertight
- Posts: 171
- Joined: 2017/02/07 21:47:51
Re: Firewall-cmd allow a single mac source
I'm still hung up on this. Anyone? thanks.supertight wrote:My previous post was for my 6.9 servers. This post is for my 7.3 servers. I'm sorry If I should be lumping this into one topic. I made a new topic because I switched from iptables to firewalld. Feel free to close any of the other threads?TrevorH wrote:This looks like a duplicate of your other recent posts. Please keep to one topic at a time and keep your posts in one place.
Is the machine you are trying to ssh from in the same network segment as the server you are trying to ssh to? No routers/firewalls in between?
This time, Both client and server are on the same switch. No router in the mix.
client interface - 192.168.1.15
server interface - 192.168.1.14
Re: Firewall-cmd allow a single mac source
That should do it.supertight wrote:Do I need to write a rich rule?
For example, if you do add rich rule
Code: Select all
rule family="ipv4" source mac="01:23:45:67:89:AB" service name="ssh" acceptCode: Select all
-p tcp -m mac --mac-source 01:23:45:67:89:AB -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPTyou will have the "too liberal"
Code: Select all
-p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT-
supertight
- Posts: 171
- Joined: 2017/02/07 21:47:51
Re: Firewall-cmd allow a single mac source
Thank you for the reply and the code. Was helpful. I understand way better now.jlehtone wrote:That should do it.supertight wrote:Do I need to write a rich rule?
For example, if you do add rich rulethen the IN_zonename_allow will haveCode: Select all
rule family="ipv4" source mac="01:23:45:67:89:AB" service name="ssh" acceptYou obviously have to remove the ssh from the services of the zone, or elseCode: Select all
-p tcp -m mac --mac-source 01:23:45:67:89:AB -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
you will have the "too liberal"Code: Select all
-p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
So, Firewalld still writes iptables. It's just a different front end management.
With Centos 6, I have a script that I run with a flush, my rules and save/load at the end.
Code: Select all
iptables -F
## Set
iptables -A INPUT -p tcp -m mac --mac-source 00:24:**:aa:**:9b -j ACCEPT
#
# default policies
#
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
#
iptables -A INPUT -i lo -j ACCEPT
#
# Established and Related connections
#
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#
/sbin/service iptables save
#
iptables -L -v
Re: Firewall-cmd allow a single mac source
Yes, yum remove firewall\* then yum install iptables-services and configure as before. Might also need a systemctl enable iptables.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
-
supertight
- Posts: 171
- Joined: 2017/02/07 21:47:51
Re: Firewall-cmd allow a single mac source
TrevorH wrote:Yes, yum remove firewall\* then yum install iptables-services and configure as before. Might also need a systemctl enable iptables.
Thank you so much you guys. It's all very clear now. I can safely say I understand iptables.