Firewalld & iptables configuration

Support for security such as Firewalls and securing linux
Post Reply
Rocketrrt
Posts: 51
Joined: 2016/09/15 16:51:31

Firewalld & iptables configuration

Post by Rocketrrt » 2020/06/03 15:39:02

Hi All,

I have a unique situation and am not sure how to configure firewalld for this, not even sure this can be done from I have read. Here is situation,
I have server that I use as a terminal server. multiple people connect using xrdp. The users are divided into 3 groups and the group is their primary group, 1) no internet, 2) internet and 3) paycom (they have limited internet access). I need to setup firewalld to the the 3 groups. I need them to access a domain irregardless of the ipaddress. At least one of the domains changes the ipaddress all the time, so I need access by domain, not ipaddess. Is this possible with firewalld?

The other option (which i use today) is iptables. Easy to create the chains for the 3 groups, the problem I have is the domain get resolved to ipaddress. Is there a way to allow a domains that keeps changing the ipaddress and 1 domain has 3 ipaddress that change using the dig command?

Thanks

Ron

User avatar
jlehtone
Posts: 2866
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Firewalld & iptables configuration

Post by jlehtone » 2020/06/04 11:14:05

Netfilter cannot use names. Most dynamic ruleset is probably based on ipset.
Add netfilter rules that refer to ipset(s). (Both firewalld.service and iptables.service can do that.)

Then maintain the sets somehow, with ipset.

Rocketrrt
Posts: 51
Joined: 2016/09/15 16:51:31

Re: Firewalld & iptables configuration

Post by Rocketrrt » 2020/06/04 15:28:23

Hi jlehtone,

Thank you for your reply. First I am programmer and not a administrator although I been asked to this.

After reading about ipset I am still not sure how I would implement in specific chain. Right now in the chain I do this:

iptables -A chk_paycom_user -d 4.34.183.194 -j RETURN
iptables -A chk_paycom_user -d 12.159.21.34 -j RETURN
iptables -A chk_paycom_user -d 70.184.25.159 -j RETURN
iptables -A chk_paycom_user -d www.paycomonline.net -j RETURN

where the top 3 lines are for paycom.com. All of these ip address change all the time. I did not see anyway for ipset to apply to a chain. It is only for specific chain. From what I read I see how ipset could be run as cron job every minute to update to the ip address. Just not sure how to apply it to a chain.

Thank you,
Ron

Post Reply

Return to “CentOS 7 - Security Support”