Blocking IP addresses using Firewalld rhel 7.0
Is there a way to block a specific ip address in firewalld ?
I know it can be done in iptables, however I would like to use the firewalld service.
Responses
Guru
6863 points
I'm getting up to speed myself, so - please keep that in mind ;-)
From what I can gather, this activity is considered a "rich-rule"
http://fedoraproject.org/wiki/Features/FirewalldRichLanguage#Handle_rich_rules_with_the_command_line_client
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.0.11' reject"
Check here (Under "Actions"):
http://fedoraproject.org/wiki/Features/FirewalldRichLanguage
Hello, see also Configuring Complex Firewall Rules with the "Rich Language" Syntax in the Red Hat Enterprise Linux Security Guide.
Red Hat
Active Contributor
232 points
Just to add a side question.... Can you add the ip or range to the "blocked" or "drop" firewalld zone? No because interfaces are not active on those zones.
I just added the following to the drop zone and it worked without any issue:
firewall-cmd --zone=drop --add-source=x.x.x.x/xx
replace x.x.x.x with the IP and you can add the subnet under /xx
Could you please let me know, How we can allow specific IP address's for SSH and Mysql? No one can access SSH and Mysql except allowed IP.
Active Contributor
195 points
you could also use /etc/hosts.allow to only allow access via a certain IP list/hostnames eq
# System Administration
sshd: 10.10. 10.12. 10.1.61. 10.25. 10.1.10.19
Thank's Jonathan, for a quick reply. I have done this using IPTABLES. I have also used hosts. allow and hosts.deny for the same but hosts. allow/hosts. deny doesn't restrict MySQL traffic. As we aware Firewalld service has been introduced and I want to use Firewalld service as IPTABLES does. I also want to know for the knowledge purpose.
it would be greatly appreciated if you could provide an answer for the same.
Active Contributor
195 points
you should be able to add the mysql service(port 3306) to the firewall then allow only certain ip addresses access
# firewall-cmd --zone=public --add-service=mysql --permanent
# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="your_IP_or_IP_Range" service name="mysql" accept' --permanent
[root@localhost ~]# firewall-cmd --zone=public --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eno16777736
sources:
services: dhcpv6-client ssh mysql
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules: rule family="ipv4" source address="192.168.1.26" service name="ssh" accept
I tried the same rule for SSH but it's not working. I am able to access SSH from other IPs. I think for SSH I need to use hosts.allow. If you have any idea to allow specific IP address for SSH in firewalld. Please share.
Thank you so much for paying attention towards this.
Red Hat
Expert
1164 points
Nandkishor,
Looking at the output of your command, ssh is in both the services: section, and the rich rules section. I think the services section will allow ssh to be accepted everywhere the public zone applies.
If you want ssh to only be accepted from 192.168.1.26, remove ssh from the services:
firewall-cmd --remove-service=ssh --permanent
Regards,
Marc
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.