Day: July 23, 2019

by

Using firewall-cmd rich rules to whitelist IP Address Range

For basic firewall-cmd Using firewall-cmd in CentOS 7

For starting and stopping firewalld service Disable FirewallD Services on CentOS 7

Firewall Rich Rules are an additional feature of firewalld that allows you to create the most sophisticated firewall rules.

Option 1a: To add a rich rule to allow a subnet to be whitelisted. The rest should be rejected. For example, you only want 192.168.1.0/24 to be admitted; the rest of the source IP addresses should be rejected.

# firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" invert="true" port port="22" protocol="tcp" accept'
# firewall-cmd --reload
public (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: ens33
  sources: 192.168.1.0/24
  services: 
  ports: 
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	rule family="ipv4" source NOT address="192.168.1.0/24" port="22" reject

Option 1b: To add a rule to allow a service to be whitelisted. The rest should be rejected. For example, you only want 192.168.1.0/24 to be admitted; the rest of the source IP addresses should be rejected.

# firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" invert="true" service name="ssh" accept'
# firewall-cmd --reload
public (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: ens33
  sources: 192.168.1.0/24
  services: 
  ports: 
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	rule family="ipv4" source NOT address="192.168.1.0/24" service name="ssh" reject

Option 1c: To remove a rich rule to allow a subnet to be whitelisted

# firewall-cmd --permanent --zone=public --remove-rich-rule='rule family="ipv4" source address="192.168.1.0/24" invert="true" port port="22" protocol="tcp" accept'
# firewall-cmd --reload

Option 2a: To add log entry

# firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24 invert="true" port port="22" protocol="tcp" log prefix="Firewall Rich Rule Log" level="notice" accept'