-1

I've never used firewalld before, and I'm being asked to set up some local firewall rules to allow/prevent specific traffic.

Basically, I have some systems in a protected network. This network allows incoming traffic from a number of sources over a number of ports. Whatever else happens, I can't accidentally block any of the existing traffic.

On top of that, there is one particular application running on 2 specific servers on this protected subnet and they talk to each other over 3 different tcp ports.

The ask is that I don't block anything from anywhere except that, for these 3 ports, only these 2 servers should be able to communicate.

Everything I've tried in firewalld seems to make it so that all traffic is allowed, or none, or only traffic to that port is allowed or not. But I can't figure out how to allow all traffic except X and only allow X between two specific IP's.

I hope this all makes sense.

Rule 1 --> All traffic allowed except tcp ports 10000, 10010, 10020

Rule 2 --> Ports 10000, 10010, 10020 allowed between server1 and server2 only

Rule 3 --> Ports 10000, 10010, 10020 denied from all other sources

Dan Carrington
  • 494
  • 4
  • 7
  • So, I see that people feel I haven't done any research. However, I've spent quite a number of hours on this and didn't want to write an entire book to describe everything I've done. None of my research has gotten me anywhere apart from allowing all traffic or no traffic. I've tried creating zones, creating rich-rules and nothing seems to help. – Dan Carrington Jun 16 '22 at 22:50

1 Answers1

0

I ended up resolving this by finding a way to use firewalld with older-style iptables type rules. I was not able to find anything on how to set the rule priority for each rule, but was able to determine that each added rule was added after the previous one, so I just had to enter them in the exact order I wanted them to be evaluated. So, I ended up with something like:

# firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp -s 172.31.4.74 --dport 10000 -j ACCEPT
# firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp -s 172.31.4.74 --dport 10010 -j ACCEPT
# firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp -s 172.31.4.74 --dport 10020 -j ACCEPT
# firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp --dport 10000 -j DROP
# firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp --dport 10010 -j DROP
# firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp --dport 10020 -j DROP
# firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp -s 172.31.0.0/16 -j ACCEPT
# firewall-cmd --reload
# firewall-cmd --direct --get-all-rules
ipv4 filter IN_public_allow 0 -m tcp -p tcp -s 172.31.4.74 --dport 10000 -j ACCEPT
ipv4 filter IN_public_allow 0 -m tcp -p tcp -s 172.31.4.74 --dport 10010 -j ACCEPT
ipv4 filter IN_public_allow 0 -m tcp -p tcp -s 172.31.4.74 --dport 10020 -j ACCEPT
ipv4 filter IN_public_allow 0 -m tcp -p tcp --dport 10000 -j DROP
ipv4 filter IN_public_allow 0 -m tcp -p tcp --dport 10010 -j DROP
ipv4 filter IN_public_allow 0 -m tcp -p tcp --dport 10020 -j DROP
ipv4 filter IN_public_allow 0 -m tcp -p tcp -s 172.31.0.0/16 -j ACCEPT

This process would just need to be repeated for both servers and the IP's updated appropriately. According to docs, using the '--direct' rules is not recommended unless you are familiar with iptables, so you'll have to not only know something about firewalld, but also iptables.

Dan Carrington
  • 494
  • 4
  • 7