Allow some IP via ssh trought firewall-cmd reject all others.

Support for security such as Firewalls and securing linux
Post Reply
DrNatas
Posts: 32
Joined: 2014/01/08 19:09:33

Allow some IP via ssh trought firewall-cmd reject all others.

Post by DrNatas » 2020/07/02 20:16:41

So I'm trying to figure out what is the best way to go with. I'm trying to secure a production server that will allow SSH from a public IP address. I was also going to go with fail2ban on the back-end. Just wanted to get some ideas from the community. One thing that I learned from "TrevorH" was that if I can get the user's public key that will prevent unauthorized users from connecting into the server.

e.g.
From: 1.2.3.4/26 connect via SSH only
From: 1.2.3.4/26 allow 8080/tcp only
From: 1.2.3.4/26 allow 8081/tcp only
From: 0.0.0.0/0 allow 9729/tcp "this is allow from anywhere"

I was thinking about making a rich rule.

firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" port port="8080" protocol=tcp source address="1.2.3.4/26" accept'
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" port port="8081" protocol=tcp source address="1.2.3.4/26" accept'
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" port port="9729" protocol=tcp source address="0.0.0.0/0" accept'
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" service name="sshd" source address="10.0.0.1/32" accept'
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" service name="sshd" source address="1.2.3.4/26" accept'

User avatar
jlehtone
Posts: 2921
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Allow some IP via ssh trought firewall-cmd reject all others.

Post by jlehtone » 2020/07/02 22:39:59

The "firewalld way" is not rich rules, but to define two zones:
* Zone A allows access to ports ssh, 8080, 8081, and 9729. Traffic from 1.2.3.4/26 belongs to zone A
* Zone B allows access to port 9729. Traffic from interface belongs to zone B

DrNatas
Posts: 32
Joined: 2014/01/08 19:09:33

Re: Allow some IP via ssh trought firewall-cmd reject all others.

Post by DrNatas » 2020/07/13 16:38:51

Thank you. I'll for the advice. I'll look into it a bit further.

Post Reply

Return to “CentOS 7 - Security Support”