Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Firewalld - source IP not working
Operating Systems Linux Red Hat Firewalld - source IP not working Post 303003712 by fishface on Tuesday 19th of September 2017 02:22:34 PM
Old 09-19-2017
Firewalld - source IP not working
New to firewalld, and having an issue trying to emulate my old iptable ruleset.

Server has one network interface, which I usually only allow SSH in from certain IPs, I know I can do this with rich rules but have read that this is sub-optimal.

So, I created a new zone, ABCinternal, added a couple of source IPs that are allowed to SSH in, reloaded the firewall and IPs other than the ones listed can still SSH in - what am I missing here?


Code:
[root@rhel7-test zones]# firewall-cmd --zone=ABCinternal --list-all
ABCinternal (active)
  target: 
  icmp-block-inversion: no
  interfaces:
  sources: 192.168.1.10 192.168.1.99
  services: ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

 

8 More Discussions You Might Find Interesting

1. Solaris

GUI not working... CLI is working fine

Hello, I have X4500 running Solaris 10. I can access it through CLI but I cannot see the GUI. When I reboot it, the GUI works till all the files are loaded (ie., the initial boot sequence) and it prompts me to enter username and password and there it ends. The screen just has a blinking cursor... (4 Replies)
Discussion started by: bharu_sri
4 Replies

2. Shell Programming and Scripting

Script not working in cron but working fine manually

Help. My script is working fine when executed manually but the cron seems not to catch up the command when registered. The script is as follow: #!/bin/sh for file in file_1.txt file_2.txt file_3.txt do awk '{ print "0" }' $file > tmp.tmp mv tmp.tmp $file done And the cron... (2 Replies)
Discussion started by: jasperux
2 Replies

3. Red Hat

Os Open source dialer not working on Centos Asterisk platform

Hi We have one centos Server on Asterisk platform and using OS Open source dialer for dialing outbound connections.We are using eyebeam as a softphone for calling with Server ip 192.168.1.X.Today i found dialing issues with each client side phones.Not showing pause/resume button when browse... (0 Replies)
Discussion started by: Vaibhav.T
0 Replies

4. Red Hat

Nslookup working but ping not working at windows client

Hi Team we have created a DNS server at RHEL6.2 environment in 10.20.203.x/24 network. Everything is going well on linux client as nslookup, ping by host etc in entire subnet. We are getting problem in windows client as nslookup working as well but not ping. all the firewall is disabled and... (5 Replies)
Discussion started by: boby.kumar
5 Replies

5. Shell Programming and Scripting

Automating pbrun /bin/su not working, whenever manually it is working using putty

I am trying to automate a script where I need to use pbrun /bin/su but for some reason it is not passing thru the pbrun as my code below. . ~/.bash_profile pbrun /bin/su - content c h 1 hpsvn up file path I am executing this from an external .sh file that is pointing to this scripts file... (14 Replies)
Discussion started by: jorgejac
14 Replies

6. Red Hat

Firewalld - multiple services / sources?

If you have a system with one network interface, and you want to allow ssh from some addresses, freeipa-ldap from others, and https (which is part of freeipa-ldap) from another one; and you do not want to have a sea of rich rules... how do you do that? I can't tell if firewalld is just really... (2 Replies)
Discussion started by: jnojr
2 Replies

7. Shell Programming and Scripting

Working web service call not working with curl

Hello, Newbie here, I have a perfectly well working web service call I can issue from chrome (PC Windows 10) and get the results I want (a dimmer being turned on in Fibaro Home Center 2 at level 40) I am not allowed to post urls but the below works with http and :// and... (3 Replies)
Discussion started by: abigbear
3 Replies

8. Shell Programming and Scripting

Disk Space Utilization in HTML format working in one environment and not working on the other

Hi Team, I have written the shell script which returns the result of the disk space filesystems which has crossed the threshold limit in HTML Format. Below mentioned is the script which worked perfectly on QA system. df -h | awk -v host=`hostname` ' BEGIN { print "<table border="4"... (13 Replies)
Discussion started by: Harihsun
13 Replies

LEARN ABOUT DEBIAN

shorewall-exclusion

SHOREWALL-EXCLUSION(5)						  [FIXME: manual]					    SHOREWALL-EXCLUSION(5)

NAME

       exclusion - Exclude a set of hosts from a definition in a shorewall configuration file.

SYNOPSIS

       !address-or-range[,address-or-range]...

       !zone-name[,zone-name]...

DESCRIPTION

       The first form of exclusion is used when you wish to exclude one or more addresses from a definition. An exclaimation point is followed by
       a comma-separated list of addresses. The addresses may be single host addresses (e.g., 192.168.1.4) or they may be network addresses in
       CIDR format (e.g., 192.168.1.0/24). If your kernel and iptables include iprange support, you may also specify ranges of ip addresses of the
       form lowaddress-highaddress

       No embedded whitespace is allowed.

       Exclusion can appear after a list of addresses and/or address ranges. In that case, the final list of address is formed by taking the first
       list and then removing the addresses defined in the exclusion.

       Beginning in Shorewall 4.4.13, the second form of exclusion is allowed after all and any in the SOURCE and DEST columns of
       /etc/shorewall/rules. It allows you to omit arbitrary zones from the list generated by those key words.

	   Warning
	   If you omit a sub-zone and there is an explicit or explicit CONTINUE policy, a connection to/from that zone can still be matched by the
	   rule generated for a parent zone.

	   For example:

	   /etc/shorewall/zones:

	       #ZONE	      TYPE
	       z1	      ip
	       z2:z1	      ip
	       ...

	   /etc/shorewall/policy:

	       #SOURCE	       DEST	     POLICY
	       z1	       net	     CONTINUE
	       z2	       net	     REJECT

	   /etc/shorewall/rules:

	       #ACTION	       SOURCE	     DEST	 PROTO	       DEST
	       #						       PORT(S)
	       ACCEPT	       all!z2	     net	 tcp	       22

	   In this case, SSH connections from z2 to net will be accepted by the generated z1 to net ACCEPT rule.

       In most contexts, ipset names can be used as an address-or-range. Beginning with Shorewall 4.4.14, ipset lists enclosed in +[...] may also
       be included (see shorewall-ipsets[1] (5)). The semantics of these lists when used in an exclusion are as follows:

       o   !+[set1,set2,...setN] produces a packet match if the packet does not match at least one of the sets. In other words, it is like NOT
	   match set1 OR NOT match set2 ... OR NOT match setN.

       o   +[!set1,!set2,...!setN] produces a packet match if the packet does not match any of the sets. In other words, it is like NOT match set1
	   AND NOT match set2 ... AND NOT match setN.

EXAMPLES

       Example 1 - All IPv4 addresses except 192.168.3.4
	   !192.168.3.4

       Example 2 - All IPv4 addresses except the network 192.168.1.0/24 and the host 10.2.3.4
	   !192.168.1.0/24,10.1.3.4

       Example 3 - All IPv4 addresses except the range 192.168.1.3-192.168.1.12 and the network 10.0.0.0/8
	   !192.168.1.3-192.168.1.12,10.0.0.0/8

       Example 4 - The network 192.168.1.0/24 except hosts 192.168.1.3 and 192.168.1.9
	   192.168.1.0/24!192.168.1.3,192.168.1.9

       Example 5 - All parent zones except loc
	   any!loc

FILES

       /etc/shorewall/hosts

       /etc/shorewall/masq

       /etc/shorewall/rules

       /etc/shorewall/tcrules

SEE ALSO

       shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
       shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
       shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
       shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
       shorewall-tunnels(5), shorewall-zones(5)

NOTES

	1. shorewall-ipsets
	   http://www.shorewall.net/manpages/shorewall-ipsets.html

[FIXME: source] 						    06/28/2012						    SHOREWALL-EXCLUSION(5)
All times are GMT -4. The time now is 12:34 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy