How to Configure 2 IP Address on Same Network Interface to Allow Specific Ports to be Accessed by Specific IP?

Question

I have 2 IP addresses on the same network interface: 192.168.1.100 & 192.168.1.101. I want to be able to access SSH via 192.168.1.100 and HTTP via 192.168.1.101. I'm using Debian 9.8 and firewalld to control the firewall.

Below are current zone configurations.

Zone: Public

root@server ~ # firewall-cmd --list-all --zone=public
public (active)
  target: default
  icmp-block-inversion: no
  interfaces:
  sources: 192.168.1.100
  services: ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

Zone: Special

root@server ~ # firewall-cmd --list-all --zone=special
special(active)
  target: default
  icmp-block-inversion: no
  interfaces:
  sources: 192.168.1.101
  services: http
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

Reloading Firewall

root@server ~ # firewall-cmd --reload

For some reason, I'm able to access SSH via 92.168.1.100 & 192.168.1.101 and I'm unable to access HTTP from neither 192.168.1.100 nor 192.168.1.101.

Please help.

Answer 1

I am not familiar with the firewalld option format. But to me it looks that the rules are allowing connections from the server's IP address 192.168.1.100 to SSH, and from server's IP address 192.168.1.101 to HTTP.

You should use the destination address, if you really want to use the firewall way to achieve this.

However, the best approach here is to bind the services to different ports.

Answer 2

I want to be able to access SSH via 192.168.1.100 and HTTP via 192.168.1.101.

You can also just simply have the SSH server bind to 192.168.1.100, likely via the /etc/ssh/sshd_config file, setting ListenAddress 192.168.1.100

You can have HTTP server bind to just 192.168.1.101, likely in the configuration file named something like /etc/httpd/conf/httpd.conf, assuming an Apache HTTP server, where you can set Listen 192.168.1.101:80 in place of Listen 80.

That might have some uwanted side effects, such as preventing you from accessing the server via localhost/127.0.0.1 via something like http://localhost/path/to....