Restricting different services to different subnets with FirewallD
by Vanyel from LinuxQuestions.org on (#5BJ30)
In my CentOS 7 installs I uninstall FirewallD and install IPtables instead, then use my standard IPtables firewall script to configure it.
Now as I play with CentOS 8 I'm learning FirewallD for the first time and it's ... interesting. I think I'm getting the hang of FirewallD but there are still some things I don't see how to do. Here's an illustration:
The following bash snippet makes a new firewall zone on the machine called campus", allows ssh and nfs through it, then restricts access to specific subnets on campus only. This zone becomes the default.
Code:
firewall-cmd --new-zone=campus --permanent
firewall-cmd --reload
# Allow ssh and nfs, for now
firewall-cmd --permanent --zone=campus --add-service=ssh
firewall-cmd --permanent --zone=campus --add-service=nfs
firewall-cmd --permanent --zone=campus --add-service=mountd
firewall-cmd --permanent --zone=campus --add-service=rpc-bind
# All of those services are restricted to the following IP ranges
# My office router, lab router, and some campus IP subnets
for range in "192.168.3.0/24" "192.168.1.0/24" "10.49.0.0/16" "10.52.0.0/16" "10.54.0.0/16" "10.104.0.0/16"
do
firewall-cmd --permanent --zone=campus --add-source=$range
done
firewall-cmd --reload
firewall-cmd --set-default=campusThis works fine. Here's the output of firewall-cmd --zone=campus --list-all, below:
Quote:
What I DON'T get is how I would allow ssh to all the IP subnets, but restrict nfs to only a couple of them. I commonly do this with IPtables but with FirewallD I'm stumped.
Can anyone clue me in as to how?
Now as I play with CentOS 8 I'm learning FirewallD for the first time and it's ... interesting. I think I'm getting the hang of FirewallD but there are still some things I don't see how to do. Here's an illustration:
The following bash snippet makes a new firewall zone on the machine called campus", allows ssh and nfs through it, then restricts access to specific subnets on campus only. This zone becomes the default.
Code:
firewall-cmd --new-zone=campus --permanent
firewall-cmd --reload
# Allow ssh and nfs, for now
firewall-cmd --permanent --zone=campus --add-service=ssh
firewall-cmd --permanent --zone=campus --add-service=nfs
firewall-cmd --permanent --zone=campus --add-service=mountd
firewall-cmd --permanent --zone=campus --add-service=rpc-bind
# All of those services are restricted to the following IP ranges
# My office router, lab router, and some campus IP subnets
for range in "192.168.3.0/24" "192.168.1.0/24" "10.49.0.0/16" "10.52.0.0/16" "10.54.0.0/16" "10.104.0.0/16"
do
firewall-cmd --permanent --zone=campus --add-source=$range
done
firewall-cmd --reload
firewall-cmd --set-default=campusThis works fine. Here's the output of firewall-cmd --zone=campus --list-all, below:
Quote:
| campus (active) target: default icmp-block-inversion: no interfaces: eno1 sources: 192.168.3.0/24 192.168.1.0/24 10.49.0.0/16 10.52.0.0/16 10.54.0.0/16 10.104.0.0/16 services: mountd nfs rpc-bind ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: |
Can anyone clue me in as to how?