Firewalld ristrict all access ip and only 2 white list

Issues related to configuring your network
Post Reply
dstny
Posts: 1
Joined: 2020/05/19 16:29:05

Firewalld ristrict all access ip and only 2 white list

Post by dstny » 2020/05/19 16:34:26

Hello Guys,

i want to ristrict all ips to access my website.
I tried with rich rules, but if i use them the site isnt available anymore.

These are the rules that i used: (i have modfied the ips)

firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="125.11.125.0/24" port protocol="tcp" port="80" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="162.61.137.112/24" port protocol="tcp" port="80" accept"
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='0.0.0.0/0' port port=80 protocol=tcp reject"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="125.11.125.0/24" port protocol="tcp" port="443" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="162.61.137.112/24" port protocol="tcp" port="443" accept"
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='0.0.0.0/0' port port=443 protocol=tcp reject"

where is the problem? Can someone help me?

sorry for my bad english. not a native speaker.

regards

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Firewalld ristrict all access ip and only 2 white list

Post by jlehtone » 2020/05/20 09:46:38

The firewalld philosophy is to use zones for that.

Code: Select all

firewall-cmd --permanent --new-zone=friends
firewall-cmd --permanent --zone=friends --target=REJECT
firewall-cmd --permanent --zone=friends --set-description="friends can apache"
firewall-cmd --permanent --zone=friends --add-service=http
firewall-cmd --permanent --zone=friends --add-service=https
firewall-cmd --permanent --zone=friends --add-source=125.11.125.0/24
firewall-cmd --permanent --zone=friends --add-source=162.61.137.0/24
firewall-cmd --reload
Now the two subnets can connect to ports 80 and 443 (and only to those two ports).

Traffic from all other subnets belong to the default zone (usually the 'public'), which does not allow 80&443.

Post Reply