Using firewall-cmd rich rules to whitelist IP Address Range

For basic firewall-cmd Using firewall-cmd in CentOS 7

For starting and stopping firewalld service Disable FirewallD Services on CentOS 7

Firewall Rich Rules are additional feature of firewalld that allows you to create most sophisticated firewall rules.

Option 1a: To add a rich rule to allow a subnet to be whitelist

# firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" port port="22" protocol="tcp" accept'

Option 1b: To add a rule rule to allow a service to be whitelist

# firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" service name="ssh" accept'

 

Option 1c: To remove a rich rule to allow a subnet to be whitelist

# firewall-cmd --permanent --zone=public --remove-rich-rule='rule family="ipv4" source address="192.168.1.0/24" port port="22" protocol="tcp" accept'

Option 2a: To add log entry

# firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24 port port="22" protocol="tcp" log prefix="Firewall Rich Rule Log" level="notice" accept'

Option 3a: Port Forwarding

# firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24 port port="22" protocol="tcp" log prefix="Firewall Rich Rule Log " level="notice" forward-port port="11111" to-port="22" accept'

Option 3b: Testing

# ssh -p 11111 admin@myip.com