CentOS firewall-cmd script to only allow access from IPs listed in sources

Question

I use this script to set up my firewall. I expected to have ssh access from only one IP but that is not the case after testing. What is missing?

#!/bin/bash
#
# Reset to initial install of firewalld
#
rm -f /etc/firewalld/zones/*
firewall-cmd --complete-reload
firewall-cmd --runtime-to-permanent
firewall-cmd --reload
#
# Create / Setup custom zone
#
firewall-cmd --new-zone calzone --permanent
firewall-cmd --reload
firewall-cmd --zone=calzone --add-service={ssh,dhcpv6-client}
firewall-cmd --zone=calzone --add-source=10.0.0.177
firewall-cmd --change-interface enp1s0 --zone calzone --permanent
firewall-cmd --runtime-to-permanent
firewall-cmd --reload

When I run: firewall-cmd --get-active-zones I get the following

calzone
  interfaces: enp1s0
  sources: 10.0.0.177

It was my understanding that setting the interface would direct all traffic from that interface to that zone first and since there are entries in the sources the traffic would be limited to those IPs. Thanx in advance.

In response to Nasir's comment this command firewall-cmd --list-all-zones | sed -n '/calzone/,/rich/p' produces:

calzone (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp1s0
  sources: 10.0.0.177
  services: dhcpv6-client ssh
  ports:
  protocols:
  forward: no
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

I also restarted the deamon firewalld and could ssh from 10.0.0.188 I expected access only from 10.0.0.177

That is the correct output. Are you expecting it to list the ports, services, etc? That isn't what occurs. If you want to everything in the active zone, then use the following command: `firewall-cmd --list-all-zones | sed -n '/calzone/,/rich/p'` — Nasir Riley, Jan 09 '22 at 00:30

score 0 · Answer 1 · answered Jan 09 '22 at 04:32

After many hours of reading the RedHat firewalld documentation and being persistent writing a script I managed to get the behavior I wanted. However, I'm not 100% confident because I'm still unclear on why setting the interface did not work. However this script seems to work. I used the existing work zone which seems to become active when I added a source to it.

#!/bin/bash
#
# Reset to initial install of firewalld
#
rm -f /etc/firewalld/zones/*
firewall-cmd --complete-reload
firewall-cmd --runtime-to-permanent
firewall-cmd --reload
systemctl restart firewalld
systemctl status firewalld
#
# Remove the services from all zones
#  
# iterate through the default zones
for zone in drop block public external dmz work home internal trusted
do
# iterate through default services
    for srv in $(firewall-cmd --list-services --zone=$zone)
    do
      echo "Removing service $srv from $zone"
      firewall-cmd --zone=$zone --remove-service=$srv
      firewall-cmd --zone=$zone --remove-service=$srv --permanent
    done
done
#
# Drop all public traffic?
# Allow work zone to see ssh from host
#
firewall-cmd --zone=public --set-target=DROP --permanent
firewall-cmd --zone=work --add-source=10.0.0.177 --permanent
firewall-cmd --zone=work --add-service=ssh --permanent
firewall-cmd --runtime-to-permanent
firewall-cmd --reload
systemctl restart firewalld
systemctl status firewalld

CentOS firewall-cmd script to only allow access from IPs listed in sources

1 Answers1