Firewall how block trafic just for external ips except one on ssh and leave all the rest opened

How I disabling firewall and just systemcl start iptables I did this [1] , I saw today that zone FedoraWorkstation can be good for me , but still need add ssh rules based on ips .

Thank you

[1]
iptables -I INPUT -p tcp --dport 22 --source 127.0.0.1 -j ACCEPT
iptables -I INPUT -p tcp --dport 22 --source 192.168.1.0/24 -j ACCEPT
iptables -I INPUT -p tcp --dport 22 --source extern_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP

[2]
firewall-offline-cmd --info-zone=FedoraWorkstation
FedoraWorkstation
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client samba-client ssh
ports: 1025-65535/udp 1025-65535/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

Use the rich rule syntax:
https://discussion.fedoraproject.org/t/firewalld-and-mixed-access-question/74722/2?u=vgaetera

1 Like

How I do a reach rule for ssh , with 3 different ips 127.0.0.1, 192.168.1.0/24 and 193.126.232.45 ?

sudo firewall-cmd --set-default-zone=FedoraWorkstation
sudo firewall-cmd --permanent --remove-service ssh
sudo firewall-cmd --permanent --add-rich-rule="rule \
    family=ipv4 source address=192.168.1.0/24 service name=ssh accept"
sudo firewall-cmd --permanent --add-rich-rule="rule \
    family=ipv4 source address=193.126.232.45 service name=ssh accept"
sudo firewall-cmd --reload

Access from localhost is allowed by default.

1 Like

thank you , seems that is working, just one more detail , and if I want delete the second rich-rule ? what I need to do ?

Many thanks for the help

1 Like
sudo firewall-cmd --permanent --zone=public --remove-rich-rule="rule \
    family=ipv4 source address=193.126.232.45 service name=ssh accept"
sudo firewall-cmd --reload

Perfect , many thanks

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.