Deny port redirection based on source IP - firewalld

Question

I'm trying to forward a port to an external IP using firewall-cmd, but I need to deny access from certain ips.

To setup a port-forward of port 55500, I use:

firewall-cmd --permanent --zone=public --add-forward-port=port=55500:proto=tcp:toport=55500:toaddr=2.2.2.2

Which works fine, and users connecting to port 55500 are successfully redirected to 2.2.2.2 , but, as mentioned previously, I need to deny access to users coming from 1.1.1.1/24, for that I tried:

firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='1.1.1.1/24' reject"

or :

firewall-cmd --permanent --zone=public --add-rich-rule='rule family=ipv4 source address=1.1.1.1/24 port port=55500 protocol=tcp reject'

or:

firewall-cmd --zone=drop --add-source=1.1.1.1/24

But none of the commands above (all followed by firewall-cmd --reload) worked, and users connecting to port 55500 from 1.1.1.1 still get redirected to 2.2.2.2.

How can I deny the port redirection based on the source IP?

Pedro Lobito · Accepted Answer · 2020-06-01T04:18:10.240

1

It didn't work before because I missed --permanent.
The following command denies any port redirection from users coming from 1.1.1.1/24:

firewall-cmd --zone=drop --permanent --add-source=1.1.1.1/24
firewall-cmd --reload

edited Jun 01 '20 at 04:18

answered May 30 '20 at 05:04

Pedro Lobito

479
1
5
13

Deny port redirection based on source IP - firewalld

1 Answers1