Firewall how block trafic just for external ips except one on ssh and leave all the rest opened

sergiomb · January 23, 2021, 6:17pm

How I disabling firewall and just systemcl start iptables I did this [1] , I saw today that zone FedoraWorkstation can be good for me , but still need add ssh rules based on ips .

Thank you

[1]
iptables -I INPUT -p tcp --dport 22 --source 127.0.0.1 -j ACCEPT
iptables -I INPUT -p tcp --dport 22 --source 192.168.1.0/24 -j ACCEPT
iptables -I INPUT -p tcp --dport 22 --source extern_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP

[2]
firewall-offline-cmd --info-zone=FedoraWorkstation
FedoraWorkstation
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client samba-client ssh
ports: 1025-65535/udp 1025-65535/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

vgaetera · January 24, 2021, 1:50am

Use the rich rule syntax:
Firewalld and mixed access question - #2 by vgaetera

sergiomb · January 25, 2021, 2:39am

How I do a reach rule for ssh , with 3 different ips 127.0.0.1, 192.168.1.0/24 and 193.126.232.45 ?

vgaetera · January 25, 2021, 3:17am

sudo firewall-cmd --set-default-zone=FedoraWorkstation
sudo firewall-cmd --permanent --remove-service ssh
sudo firewall-cmd --permanent --add-rich-rule="rule \
    family=ipv4 source address=192.168.1.0/24 service name=ssh accept"
sudo firewall-cmd --permanent --add-rich-rule="rule \
    family=ipv4 source address=193.126.232.45 service name=ssh accept"
sudo firewall-cmd --reload

Access from localhost is allowed by default.

sergiomb · January 26, 2021, 10:05pm

thank you , seems that is working, just one more detail , and if I want delete the second rich-rule ? what I need to do ?

Many thanks for the help

vgaetera · January 27, 2021, 2:17am

sudo firewall-cmd --permanent --zone=public --remove-rich-rule="rule \
    family=ipv4 source address=193.126.232.45 service name=ssh accept"
sudo firewall-cmd --reload