Firewalld - restrict traffic to specific IPs

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
2
down vote

favorite












I'm trying to setup firewalld to restrict access to the CentOS7 server to specific IPs (192.168.10.5 and 167.165.100.22) both for incoming and outgoing traffic.



I have only one network interface, enp0s01.



I have switched the firewalld a custom zone that has 'ssh' service enabled.



firewall-cmd --zone=customlist --list-all
internal (active)
target: default
icmp-block-inversion: no
interfaces: enp0s01
sources:
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:


I tested with adding one IP address, for example,



firewall-cmd --permanent --zone=external --add-source=192.168.10.5


However, other IPS within the network could still access the server via ssh.



How can I restrict the access? I thought firewall blocks all traffic unless explicitly whitelisted by adding the source.







share|improve this question























    up vote
    2
    down vote

    favorite












    I'm trying to setup firewalld to restrict access to the CentOS7 server to specific IPs (192.168.10.5 and 167.165.100.22) both for incoming and outgoing traffic.



    I have only one network interface, enp0s01.



    I have switched the firewalld a custom zone that has 'ssh' service enabled.



    firewall-cmd --zone=customlist --list-all
    internal (active)
    target: default
    icmp-block-inversion: no
    interfaces: enp0s01
    sources:
    services: ssh
    ports:
    protocols:
    masquerade: no
    forward-ports:
    source-ports:
    icmp-blocks:
    rich rules:


    I tested with adding one IP address, for example,



    firewall-cmd --permanent --zone=external --add-source=192.168.10.5


    However, other IPS within the network could still access the server via ssh.



    How can I restrict the access? I thought firewall blocks all traffic unless explicitly whitelisted by adding the source.







    share|improve this question





















      up vote
      2
      down vote

      favorite









      up vote
      2
      down vote

      favorite











      I'm trying to setup firewalld to restrict access to the CentOS7 server to specific IPs (192.168.10.5 and 167.165.100.22) both for incoming and outgoing traffic.



      I have only one network interface, enp0s01.



      I have switched the firewalld a custom zone that has 'ssh' service enabled.



      firewall-cmd --zone=customlist --list-all
      internal (active)
      target: default
      icmp-block-inversion: no
      interfaces: enp0s01
      sources:
      services: ssh
      ports:
      protocols:
      masquerade: no
      forward-ports:
      source-ports:
      icmp-blocks:
      rich rules:


      I tested with adding one IP address, for example,



      firewall-cmd --permanent --zone=external --add-source=192.168.10.5


      However, other IPS within the network could still access the server via ssh.



      How can I restrict the access? I thought firewall blocks all traffic unless explicitly whitelisted by adding the source.







      share|improve this question











      I'm trying to setup firewalld to restrict access to the CentOS7 server to specific IPs (192.168.10.5 and 167.165.100.22) both for incoming and outgoing traffic.



      I have only one network interface, enp0s01.



      I have switched the firewalld a custom zone that has 'ssh' service enabled.



      firewall-cmd --zone=customlist --list-all
      internal (active)
      target: default
      icmp-block-inversion: no
      interfaces: enp0s01
      sources:
      services: ssh
      ports:
      protocols:
      masquerade: no
      forward-ports:
      source-ports:
      icmp-blocks:
      rich rules:


      I tested with adding one IP address, for example,



      firewall-cmd --permanent --zone=external --add-source=192.168.10.5


      However, other IPS within the network could still access the server via ssh.



      How can I restrict the access? I thought firewall blocks all traffic unless explicitly whitelisted by adding the source.









      share|improve this question










      share|improve this question




      share|improve this question









      asked Jul 3 at 20:43









      user6507067

      111




      111




















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          0
          down vote













          Background



          In researching this it appears that you cannot restrict outgoing traffic using the basic firewalld commands. Several sources back this up:



          • How To Drop Outbound Connections With Firewalld

          • Understanding Firewalld in Multi-Zone Configurations

          • Firewalld OutBound rules

          Your only recourse is to make use of firewall-cmd --direct ... commands which do little more than facilitate iptables rules for you. Given this you have a choice of doing this through Firewalld or just doing this using whatever methods you may have employed previously when using iptables.



          NOTE: direct rules will look something like this:



          $ firewall-cmd --direct --remove-rule ipv4 filter OUTPUT 0 -d 74.125.136.99/32 -p tcp -m tcp --dport=80 -j DROP


          Potential solution



          If you can relax the requirement of disallowing the host from any outgoing communications, you can get most of what you want as follows using the basic firewall-cmd commands.



          NOTE: In my example I have 3 nodes:



          • 192.168.56.101 - VM #1 - server with Firewalld rules

          • 192.168.56.102 - VM #2

          • 192.168.56.1 - my laptop

          Firwalld commands:

          $ firewall-cmd --permanent --zone=internal --add-source=192.168.56.101/32
          $ firewall-cmd --permanent --zone=internal --add-source=192.168.56.1/32
          $ firewall-cmd --permanent --zone=internal --add-port=8080/tcp
          $ firewall-cmd --zone=public --set-target=DROP


          With this set up I can access VM #1 from my laptop, but cannot from anywhere else, such as from VM #2.



          default zone

          $ firewall-cmd --get-default-zone
          public


          active zones

          $ firewall-cmd --get-active-zones
          internal
          sources: 192.168.56.101/32 192.168.56.1/32
          public
          interfaces: eth0 eth1


          public zone's setup

          $ firewall-cmd --zone=public --list-all
          public (active)
          target: DROP
          icmp-block-inversion: no
          interfaces: eth0 eth1
          sources:
          services: ssh dhcpv6-client
          ports:
          protocols:
          masquerade: no
          forward-ports:
          source-ports:
          icmp-blocks:
          rich rules:


          internal zone's setup

          $ firewall-cmd --zone=internal --list-all
          internal (active)
          target: default
          icmp-block-inversion: no
          interfaces:
          sources: 192.168.56.101/32 192.168.56.1/32
          services: ssh mdns samba-client dhcpv6-client
          ports: 8080/tcp
          protocols:
          masquerade: no
          forward-ports:
          source-ports:
          icmp-blocks:
          rich rules:


          public zone's default target

          $ firewall-cmd --permanent --get-target
          DROP


          Testing



          To test this setup, I'm going to make use of nc (ncat) to create a 'listener daemon' on port 8080 and use curl -v telnet://... commands to act as clients which will connect to these listeners.



          NOTE: This is purely to illustrate that things are working as expected, and can be removed later on.



          On VM #1:

          $ nc -4 -l -p 8080 -k


          Now on VM #2 notice we cannot connect:

          $ timeout 1 curl -v telnet://192.168.56.101:8080
          * About to connect() to 192.168.56.101 port 8080 (#0)
          * Trying 192.168.56.101...
          $


          While on laptop we can:

          $ timeout 1 curl -v telnet://192.168.56.101:8080
          * Rebuilt URL to: telnet://192.168.56.101:8080/
          * Trying 192.168.56.101...
          * Connected to 192.168.56.101 (192.168.56.101) port 8080 (#0)
          $


          The only catch with this approach, is that the VM #1 node can still egress:



          $ timeout 2 ping 8.8.8.8
          PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
          64 bytes from 8.8.8.8: icmp_seq=1 ttl=63 time=26.4 ms
          64 bytes from 8.8.8.8: icmp_seq=2 ttl=63 time=25.6 ms
          $

          $ timeout 1 curl -v telnet://www.google.com:80
          * About to connect() to www.google.com port 80 (#0)
          * Trying 216.58.217.164...
          * Connected to www.google.com (216.58.217.164) port 80 (#0)
          $


          References



          • Whitelist source IP addresses in CentOS 7

          • https://serverfault.com/questions/707774/how-to-create-advanced-rules-with-firewall-cmd

          • How To Drop Outbound Connections With Firewalld

          • Firewalld Rich and Direct Rules: Setting up RHEL 7 Server as a Router





          share|improve this answer





















            Your Answer







            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "106"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            convertImagesToLinks: false,
            noModals: false,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );








             

            draft saved


            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f453303%2ffirewalld-restrict-traffic-to-specific-ips%23new-answer', 'question_page');

            );

            Post as a guest






























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            0
            down vote













            Background



            In researching this it appears that you cannot restrict outgoing traffic using the basic firewalld commands. Several sources back this up:



            • How To Drop Outbound Connections With Firewalld

            • Understanding Firewalld in Multi-Zone Configurations

            • Firewalld OutBound rules

            Your only recourse is to make use of firewall-cmd --direct ... commands which do little more than facilitate iptables rules for you. Given this you have a choice of doing this through Firewalld or just doing this using whatever methods you may have employed previously when using iptables.



            NOTE: direct rules will look something like this:



            $ firewall-cmd --direct --remove-rule ipv4 filter OUTPUT 0 -d 74.125.136.99/32 -p tcp -m tcp --dport=80 -j DROP


            Potential solution



            If you can relax the requirement of disallowing the host from any outgoing communications, you can get most of what you want as follows using the basic firewall-cmd commands.



            NOTE: In my example I have 3 nodes:



            • 192.168.56.101 - VM #1 - server with Firewalld rules

            • 192.168.56.102 - VM #2

            • 192.168.56.1 - my laptop

            Firwalld commands:

            $ firewall-cmd --permanent --zone=internal --add-source=192.168.56.101/32
            $ firewall-cmd --permanent --zone=internal --add-source=192.168.56.1/32
            $ firewall-cmd --permanent --zone=internal --add-port=8080/tcp
            $ firewall-cmd --zone=public --set-target=DROP


            With this set up I can access VM #1 from my laptop, but cannot from anywhere else, such as from VM #2.



            default zone

            $ firewall-cmd --get-default-zone
            public


            active zones

            $ firewall-cmd --get-active-zones
            internal
            sources: 192.168.56.101/32 192.168.56.1/32
            public
            interfaces: eth0 eth1


            public zone's setup

            $ firewall-cmd --zone=public --list-all
            public (active)
            target: DROP
            icmp-block-inversion: no
            interfaces: eth0 eth1
            sources:
            services: ssh dhcpv6-client
            ports:
            protocols:
            masquerade: no
            forward-ports:
            source-ports:
            icmp-blocks:
            rich rules:


            internal zone's setup

            $ firewall-cmd --zone=internal --list-all
            internal (active)
            target: default
            icmp-block-inversion: no
            interfaces:
            sources: 192.168.56.101/32 192.168.56.1/32
            services: ssh mdns samba-client dhcpv6-client
            ports: 8080/tcp
            protocols:
            masquerade: no
            forward-ports:
            source-ports:
            icmp-blocks:
            rich rules:


            public zone's default target

            $ firewall-cmd --permanent --get-target
            DROP


            Testing



            To test this setup, I'm going to make use of nc (ncat) to create a 'listener daemon' on port 8080 and use curl -v telnet://... commands to act as clients which will connect to these listeners.



            NOTE: This is purely to illustrate that things are working as expected, and can be removed later on.



            On VM #1:

            $ nc -4 -l -p 8080 -k


            Now on VM #2 notice we cannot connect:

            $ timeout 1 curl -v telnet://192.168.56.101:8080
            * About to connect() to 192.168.56.101 port 8080 (#0)
            * Trying 192.168.56.101...
            $


            While on laptop we can:

            $ timeout 1 curl -v telnet://192.168.56.101:8080
            * Rebuilt URL to: telnet://192.168.56.101:8080/
            * Trying 192.168.56.101...
            * Connected to 192.168.56.101 (192.168.56.101) port 8080 (#0)
            $


            The only catch with this approach, is that the VM #1 node can still egress:



            $ timeout 2 ping 8.8.8.8
            PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
            64 bytes from 8.8.8.8: icmp_seq=1 ttl=63 time=26.4 ms
            64 bytes from 8.8.8.8: icmp_seq=2 ttl=63 time=25.6 ms
            $

            $ timeout 1 curl -v telnet://www.google.com:80
            * About to connect() to www.google.com port 80 (#0)
            * Trying 216.58.217.164...
            * Connected to www.google.com (216.58.217.164) port 80 (#0)
            $


            References



            • Whitelist source IP addresses in CentOS 7

            • https://serverfault.com/questions/707774/how-to-create-advanced-rules-with-firewall-cmd

            • How To Drop Outbound Connections With Firewalld

            • Firewalld Rich and Direct Rules: Setting up RHEL 7 Server as a Router





            share|improve this answer

























              up vote
              0
              down vote













              Background



              In researching this it appears that you cannot restrict outgoing traffic using the basic firewalld commands. Several sources back this up:



              • How To Drop Outbound Connections With Firewalld

              • Understanding Firewalld in Multi-Zone Configurations

              • Firewalld OutBound rules

              Your only recourse is to make use of firewall-cmd --direct ... commands which do little more than facilitate iptables rules for you. Given this you have a choice of doing this through Firewalld or just doing this using whatever methods you may have employed previously when using iptables.



              NOTE: direct rules will look something like this:



              $ firewall-cmd --direct --remove-rule ipv4 filter OUTPUT 0 -d 74.125.136.99/32 -p tcp -m tcp --dport=80 -j DROP


              Potential solution



              If you can relax the requirement of disallowing the host from any outgoing communications, you can get most of what you want as follows using the basic firewall-cmd commands.



              NOTE: In my example I have 3 nodes:



              • 192.168.56.101 - VM #1 - server with Firewalld rules

              • 192.168.56.102 - VM #2

              • 192.168.56.1 - my laptop

              Firwalld commands:

              $ firewall-cmd --permanent --zone=internal --add-source=192.168.56.101/32
              $ firewall-cmd --permanent --zone=internal --add-source=192.168.56.1/32
              $ firewall-cmd --permanent --zone=internal --add-port=8080/tcp
              $ firewall-cmd --zone=public --set-target=DROP


              With this set up I can access VM #1 from my laptop, but cannot from anywhere else, such as from VM #2.



              default zone

              $ firewall-cmd --get-default-zone
              public


              active zones

              $ firewall-cmd --get-active-zones
              internal
              sources: 192.168.56.101/32 192.168.56.1/32
              public
              interfaces: eth0 eth1


              public zone's setup

              $ firewall-cmd --zone=public --list-all
              public (active)
              target: DROP
              icmp-block-inversion: no
              interfaces: eth0 eth1
              sources:
              services: ssh dhcpv6-client
              ports:
              protocols:
              masquerade: no
              forward-ports:
              source-ports:
              icmp-blocks:
              rich rules:


              internal zone's setup

              $ firewall-cmd --zone=internal --list-all
              internal (active)
              target: default
              icmp-block-inversion: no
              interfaces:
              sources: 192.168.56.101/32 192.168.56.1/32
              services: ssh mdns samba-client dhcpv6-client
              ports: 8080/tcp
              protocols:
              masquerade: no
              forward-ports:
              source-ports:
              icmp-blocks:
              rich rules:


              public zone's default target

              $ firewall-cmd --permanent --get-target
              DROP


              Testing



              To test this setup, I'm going to make use of nc (ncat) to create a 'listener daemon' on port 8080 and use curl -v telnet://... commands to act as clients which will connect to these listeners.



              NOTE: This is purely to illustrate that things are working as expected, and can be removed later on.



              On VM #1:

              $ nc -4 -l -p 8080 -k


              Now on VM #2 notice we cannot connect:

              $ timeout 1 curl -v telnet://192.168.56.101:8080
              * About to connect() to 192.168.56.101 port 8080 (#0)
              * Trying 192.168.56.101...
              $


              While on laptop we can:

              $ timeout 1 curl -v telnet://192.168.56.101:8080
              * Rebuilt URL to: telnet://192.168.56.101:8080/
              * Trying 192.168.56.101...
              * Connected to 192.168.56.101 (192.168.56.101) port 8080 (#0)
              $


              The only catch with this approach, is that the VM #1 node can still egress:



              $ timeout 2 ping 8.8.8.8
              PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
              64 bytes from 8.8.8.8: icmp_seq=1 ttl=63 time=26.4 ms
              64 bytes from 8.8.8.8: icmp_seq=2 ttl=63 time=25.6 ms
              $

              $ timeout 1 curl -v telnet://www.google.com:80
              * About to connect() to www.google.com port 80 (#0)
              * Trying 216.58.217.164...
              * Connected to www.google.com (216.58.217.164) port 80 (#0)
              $


              References



              • Whitelist source IP addresses in CentOS 7

              • https://serverfault.com/questions/707774/how-to-create-advanced-rules-with-firewall-cmd

              • How To Drop Outbound Connections With Firewalld

              • Firewalld Rich and Direct Rules: Setting up RHEL 7 Server as a Router





              share|improve this answer























                up vote
                0
                down vote










                up vote
                0
                down vote









                Background



                In researching this it appears that you cannot restrict outgoing traffic using the basic firewalld commands. Several sources back this up:



                • How To Drop Outbound Connections With Firewalld

                • Understanding Firewalld in Multi-Zone Configurations

                • Firewalld OutBound rules

                Your only recourse is to make use of firewall-cmd --direct ... commands which do little more than facilitate iptables rules for you. Given this you have a choice of doing this through Firewalld or just doing this using whatever methods you may have employed previously when using iptables.



                NOTE: direct rules will look something like this:



                $ firewall-cmd --direct --remove-rule ipv4 filter OUTPUT 0 -d 74.125.136.99/32 -p tcp -m tcp --dport=80 -j DROP


                Potential solution



                If you can relax the requirement of disallowing the host from any outgoing communications, you can get most of what you want as follows using the basic firewall-cmd commands.



                NOTE: In my example I have 3 nodes:



                • 192.168.56.101 - VM #1 - server with Firewalld rules

                • 192.168.56.102 - VM #2

                • 192.168.56.1 - my laptop

                Firwalld commands:

                $ firewall-cmd --permanent --zone=internal --add-source=192.168.56.101/32
                $ firewall-cmd --permanent --zone=internal --add-source=192.168.56.1/32
                $ firewall-cmd --permanent --zone=internal --add-port=8080/tcp
                $ firewall-cmd --zone=public --set-target=DROP


                With this set up I can access VM #1 from my laptop, but cannot from anywhere else, such as from VM #2.



                default zone

                $ firewall-cmd --get-default-zone
                public


                active zones

                $ firewall-cmd --get-active-zones
                internal
                sources: 192.168.56.101/32 192.168.56.1/32
                public
                interfaces: eth0 eth1


                public zone's setup

                $ firewall-cmd --zone=public --list-all
                public (active)
                target: DROP
                icmp-block-inversion: no
                interfaces: eth0 eth1
                sources:
                services: ssh dhcpv6-client
                ports:
                protocols:
                masquerade: no
                forward-ports:
                source-ports:
                icmp-blocks:
                rich rules:


                internal zone's setup

                $ firewall-cmd --zone=internal --list-all
                internal (active)
                target: default
                icmp-block-inversion: no
                interfaces:
                sources: 192.168.56.101/32 192.168.56.1/32
                services: ssh mdns samba-client dhcpv6-client
                ports: 8080/tcp
                protocols:
                masquerade: no
                forward-ports:
                source-ports:
                icmp-blocks:
                rich rules:


                public zone's default target

                $ firewall-cmd --permanent --get-target
                DROP


                Testing



                To test this setup, I'm going to make use of nc (ncat) to create a 'listener daemon' on port 8080 and use curl -v telnet://... commands to act as clients which will connect to these listeners.



                NOTE: This is purely to illustrate that things are working as expected, and can be removed later on.



                On VM #1:

                $ nc -4 -l -p 8080 -k


                Now on VM #2 notice we cannot connect:

                $ timeout 1 curl -v telnet://192.168.56.101:8080
                * About to connect() to 192.168.56.101 port 8080 (#0)
                * Trying 192.168.56.101...
                $


                While on laptop we can:

                $ timeout 1 curl -v telnet://192.168.56.101:8080
                * Rebuilt URL to: telnet://192.168.56.101:8080/
                * Trying 192.168.56.101...
                * Connected to 192.168.56.101 (192.168.56.101) port 8080 (#0)
                $


                The only catch with this approach, is that the VM #1 node can still egress:



                $ timeout 2 ping 8.8.8.8
                PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
                64 bytes from 8.8.8.8: icmp_seq=1 ttl=63 time=26.4 ms
                64 bytes from 8.8.8.8: icmp_seq=2 ttl=63 time=25.6 ms
                $

                $ timeout 1 curl -v telnet://www.google.com:80
                * About to connect() to www.google.com port 80 (#0)
                * Trying 216.58.217.164...
                * Connected to www.google.com (216.58.217.164) port 80 (#0)
                $


                References



                • Whitelist source IP addresses in CentOS 7

                • https://serverfault.com/questions/707774/how-to-create-advanced-rules-with-firewall-cmd

                • How To Drop Outbound Connections With Firewalld

                • Firewalld Rich and Direct Rules: Setting up RHEL 7 Server as a Router





                share|improve this answer













                Background



                In researching this it appears that you cannot restrict outgoing traffic using the basic firewalld commands. Several sources back this up:



                • How To Drop Outbound Connections With Firewalld

                • Understanding Firewalld in Multi-Zone Configurations

                • Firewalld OutBound rules

                Your only recourse is to make use of firewall-cmd --direct ... commands which do little more than facilitate iptables rules for you. Given this you have a choice of doing this through Firewalld or just doing this using whatever methods you may have employed previously when using iptables.



                NOTE: direct rules will look something like this:



                $ firewall-cmd --direct --remove-rule ipv4 filter OUTPUT 0 -d 74.125.136.99/32 -p tcp -m tcp --dport=80 -j DROP


                Potential solution



                If you can relax the requirement of disallowing the host from any outgoing communications, you can get most of what you want as follows using the basic firewall-cmd commands.



                NOTE: In my example I have 3 nodes:



                • 192.168.56.101 - VM #1 - server with Firewalld rules

                • 192.168.56.102 - VM #2

                • 192.168.56.1 - my laptop

                Firwalld commands:

                $ firewall-cmd --permanent --zone=internal --add-source=192.168.56.101/32
                $ firewall-cmd --permanent --zone=internal --add-source=192.168.56.1/32
                $ firewall-cmd --permanent --zone=internal --add-port=8080/tcp
                $ firewall-cmd --zone=public --set-target=DROP


                With this set up I can access VM #1 from my laptop, but cannot from anywhere else, such as from VM #2.



                default zone

                $ firewall-cmd --get-default-zone
                public


                active zones

                $ firewall-cmd --get-active-zones
                internal
                sources: 192.168.56.101/32 192.168.56.1/32
                public
                interfaces: eth0 eth1


                public zone's setup

                $ firewall-cmd --zone=public --list-all
                public (active)
                target: DROP
                icmp-block-inversion: no
                interfaces: eth0 eth1
                sources:
                services: ssh dhcpv6-client
                ports:
                protocols:
                masquerade: no
                forward-ports:
                source-ports:
                icmp-blocks:
                rich rules:


                internal zone's setup

                $ firewall-cmd --zone=internal --list-all
                internal (active)
                target: default
                icmp-block-inversion: no
                interfaces:
                sources: 192.168.56.101/32 192.168.56.1/32
                services: ssh mdns samba-client dhcpv6-client
                ports: 8080/tcp
                protocols:
                masquerade: no
                forward-ports:
                source-ports:
                icmp-blocks:
                rich rules:


                public zone's default target

                $ firewall-cmd --permanent --get-target
                DROP


                Testing



                To test this setup, I'm going to make use of nc (ncat) to create a 'listener daemon' on port 8080 and use curl -v telnet://... commands to act as clients which will connect to these listeners.



                NOTE: This is purely to illustrate that things are working as expected, and can be removed later on.



                On VM #1:

                $ nc -4 -l -p 8080 -k


                Now on VM #2 notice we cannot connect:

                $ timeout 1 curl -v telnet://192.168.56.101:8080
                * About to connect() to 192.168.56.101 port 8080 (#0)
                * Trying 192.168.56.101...
                $


                While on laptop we can:

                $ timeout 1 curl -v telnet://192.168.56.101:8080
                * Rebuilt URL to: telnet://192.168.56.101:8080/
                * Trying 192.168.56.101...
                * Connected to 192.168.56.101 (192.168.56.101) port 8080 (#0)
                $


                The only catch with this approach, is that the VM #1 node can still egress:



                $ timeout 2 ping 8.8.8.8
                PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
                64 bytes from 8.8.8.8: icmp_seq=1 ttl=63 time=26.4 ms
                64 bytes from 8.8.8.8: icmp_seq=2 ttl=63 time=25.6 ms
                $

                $ timeout 1 curl -v telnet://www.google.com:80
                * About to connect() to www.google.com port 80 (#0)
                * Trying 216.58.217.164...
                * Connected to www.google.com (216.58.217.164) port 80 (#0)
                $


                References



                • Whitelist source IP addresses in CentOS 7

                • https://serverfault.com/questions/707774/how-to-create-advanced-rules-with-firewall-cmd

                • How To Drop Outbound Connections With Firewalld

                • Firewalld Rich and Direct Rules: Setting up RHEL 7 Server as a Router






                share|improve this answer













                share|improve this answer



                share|improve this answer











                answered Jul 5 at 4:54









                slm♦

                233k65479651




                233k65479651






















                     

                    draft saved


                    draft discarded


























                     


                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f453303%2ffirewalld-restrict-traffic-to-specific-ips%23new-answer', 'question_page');

                    );

                    Post as a guest













































































                    Popular posts from this blog

                    How to check contact read email or not when send email to Individual?

                    Displaying single band from multi-band raster using QGIS

                    How many registers does an x86_64 CPU actually have?