1

I'm learning about a bit more about firewalld and I've been able to create an unsafe network to where I can connect from my internal network, but now, I'm stuck trying to prevent the unsafe network from reaching my internal network.

Here's an image of the topology of the network (most of the internal network is virtualised and all of the unsafe network is virtualised): enter image description here.

On the Centos7 box that connects the 2 networks, I configured IP forwarding and added a direct rule (same as in this question). The nodes on the unsafe network have Centos7 as the default gateway (with the idea that those boxes will be allowed to access the internet, but not the internal network).

With the above, the nodes in the internal network can access the unsafe network, but the unsafe network can still access some IPs on the internal network (in particular the Centos7 IP address on the internal network and also the IP of the vmware host in the internal network). Apart from those 2, the "unsafe" network cannot reach any of the other IPs in the internal network.

So finally, the question is, can I reject anything coming from the unsafe network that has as a destination the internal network?

Augusto
  • 225
  • 2
  • 10

1 Answers1

2

Assuming you can define the metes and bounds of the "internal" network as an IP subnet, sure.

Your CentOS 7 machine acting as a gateway between the networks is where you'd want to create firewall rules to apply your desired policy. I have less than no experience with the new firewall-cmd tool and firewalld, but conceptually you're looking at blocking traffic in the FORWARD chain where the source interface is the interface connecting to the "unsafe" network and the destination IP address falls into the "internal" network subnet.

Assuming the following is true you can probably use the command below to get what you want.

  • Unsafe network interface is eth1
  • Internal network subnet is 192.168.100.0/24

firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -s eth1 -d 192.168.100.0/24 -j DROP

(That command is wholly untested-- if it kills your pets, sets your house on fire, or makes you lose your job don't say I didn't warn you.)

Apparently you have to do a firewall-cmd --reload to make changes take effect.

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331