Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Firewalld - source IP not working
Operating Systems Linux Red Hat Firewalld - source IP not working Post 303004107 by fishface on Tuesday 26th of September 2017 02:32:41 PM
Old 09-26-2017
I got this going, the only way I got it to work was by adding rich rules.

First I added the rich rules

Code:
 firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.10" service name="ssh" accept'

Code:
 firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.99" service name="ssh" accept'

Then I removed the ssh service from the zone, which is the part that got me, seems counter intuiative.

Code:
 firewall-cmd --permanent zone=ABCinternal --remove-service=ssh

Here is the /etc/firewalld/ABCinternal.xml file BEFORE I make the changes

Code:
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>ABCinternal</short>
  <description>ABCinternal - internal trusted networks</description>
  <source address="192.168.1.10"/>
  <source address="192.168.1.99"/>
  <service name="ssh"/>
</zone>

And now after

Code:
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>ABCinternal</short>
  <description>ABCinternal - internal trusted networks</description>
  <rule family="ipv4">
    <source address="192.168.1.10"/>
    <service name="ssh"/>
    <accept/>
  </rule>
  <rule family="ipv4">
    <source address="192.168.1.99"/>
    <service name="ssh"/>
    <accept/>
  </rule>
</zone>

I may use ipset if the list grows.
This User Gave Thanks to fishface For This Post:
Corona688
 

8 More Discussions You Might Find Interesting

1. Solaris

GUI not working... CLI is working fine

Hello, I have X4500 running Solaris 10. I can access it through CLI but I cannot see the GUI. When I reboot it, the GUI works till all the files are loaded (ie., the initial boot sequence) and it prompts me to enter username and password and there it ends. The screen just has a blinking cursor... (4 Replies)
Discussion started by: bharu_sri
4 Replies

2. Shell Programming and Scripting

Script not working in cron but working fine manually

Help. My script is working fine when executed manually but the cron seems not to catch up the command when registered. The script is as follow: #!/bin/sh for file in file_1.txt file_2.txt file_3.txt do awk '{ print "0" }' $file > tmp.tmp mv tmp.tmp $file done And the cron... (2 Replies)
Discussion started by: jasperux
2 Replies

3. Red Hat

Os Open source dialer not working on Centos Asterisk platform

Hi We have one centos Server on Asterisk platform and using OS Open source dialer for dialing outbound connections.We are using eyebeam as a softphone for calling with Server ip 192.168.1.X.Today i found dialing issues with each client side phones.Not showing pause/resume button when browse... (0 Replies)
Discussion started by: Vaibhav.T
0 Replies

4. Red Hat

Nslookup working but ping not working at windows client

Hi Team we have created a DNS server at RHEL6.2 environment in 10.20.203.x/24 network. Everything is going well on linux client as nslookup, ping by host etc in entire subnet. We are getting problem in windows client as nslookup working as well but not ping. all the firewall is disabled and... (5 Replies)
Discussion started by: boby.kumar
5 Replies

5. Shell Programming and Scripting

Automating pbrun /bin/su not working, whenever manually it is working using putty

I am trying to automate a script where I need to use pbrun /bin/su but for some reason it is not passing thru the pbrun as my code below. . ~/.bash_profile pbrun /bin/su - content c h 1 hpsvn up file path I am executing this from an external .sh file that is pointing to this scripts file... (14 Replies)
Discussion started by: jorgejac
14 Replies

6. Red Hat

Firewalld - multiple services / sources?

If you have a system with one network interface, and you want to allow ssh from some addresses, freeipa-ldap from others, and https (which is part of freeipa-ldap) from another one; and you do not want to have a sea of rich rules... how do you do that? I can't tell if firewalld is just really... (2 Replies)
Discussion started by: jnojr
2 Replies

7. Shell Programming and Scripting

Working web service call not working with curl

Hello, Newbie here, I have a perfectly well working web service call I can issue from chrome (PC Windows 10) and get the results I want (a dimmer being turned on in Fibaro Home Center 2 at level 40) I am not allowed to post urls but the below works with http and :// and... (3 Replies)
Discussion started by: abigbear
3 Replies

8. Shell Programming and Scripting

Disk Space Utilization in HTML format working in one environment and not working on the other

Hi Team, I have written the shell script which returns the result of the disk space filesystems which has crossed the threshold limit in HTML Format. Below mentioned is the script which worked perfectly on QA system. df -h | awk -v host=`hostname` ' BEGIN { print "<table border="4"... (13 Replies)
Discussion started by: Harihsun
13 Replies

LEARN ABOUT CENTOS

firewalld.zone

FIREWALLD.ZONE(5)						  firewalld.zone						 FIREWALLD.ZONE(5)

NAME

       firewalld.zone - firewalld zone configuration files

SYNOPSIS

       /etc/firewalld/zones/zone.xml
       /usr/lib/firewalld/zones/zone.xml

DESCRIPTION

       A firewalld zone configuration file contains the information for a zone. These are the zone description, services, ports, icmp-blocks,
       masquerade, forward-ports and rich language rules in an XML file format. The file name has to be zone_name.xml where length of zone_name is
       currently limited to 17 chars.

       This is the structure of a zone configuration file:

	   <?xml version="1.0" encoding="utf-8"?>
	   <zone [version="versionstring"] [target="ACCEPT|%%REJECT%%|DROP"]>
	     [ <short>short description</short> ]
	     [ <description>description</description> ]
	     [ <interface name="string"/> ]
	     [ <source address="address[/mask]"/> ]
	     [ <service name="string"/> ]
	     [ <port port="portid[-portid]" protocol="tcp|udp"/> ]
	     [ <icmp-block name="string"/> ]
	     [ <masquerade/> ]
	     [ <forward-port port="portid[-portid]" protocol="tcp|udp" [to-port="portid[-portid]"] [to-addr="ipv4address"]/> ]
	     [
	       <rule [family="ipv4|ipv6"]>
	       [ <source address="address[/mask]" [invert="bool"]/> ]
	       [ <destination address="address[/mask]" [invert="bool"]/> ]
	       [
		 <service name="string"/> |
		 <port port="portid[-portid]" protocol="tcp|udp"/> |
		 <protocol value="protocol"/> |
		 <icmp-block name="icmptype"/> |
		 <masquerade/> |
		 <forward-port port="portid[-portid]" protocol="tcp|udp" [to-port="portid[-portid]"] [to-addr="address"]/>
	       ]
	       [ <log [prefix="prefixtext"] [level="emerg|alert|crit|err|warn|notice|info|debug"]/> [<limit value="rate/duration"/>] </log> ]
	       [ <audit> [<limit value="rate/duration"/>] </audit> ]
	       [ <accept/> | <reject [type="rejecttype"]/> | <drop/> ]
	       </rule>
	     ]
	   </zone>

       The config can contain these tags and attributes. Some of them are mandatory, others optional.

   zone
       The mandatory zone start and end tag defines the zone. This tag can only be used once in a zone configuration file. There are optional
       attributes for zones:

       version="string"
	   To give the zone a version.

       target="ACCEPT|%%REJECT%%|DROP"
	   Can be used to accept, reject or drop every packet. The ACCEPT target is used in the trusted zone, every packet will be accepted. The
	   %%REJECT%% target is used in the block zone, every packet will be rejected with the default firewalld reject type. The DROP target is
	   used in the drop zone, every packet will be dropped. The default target is {chain}_ZONE_{zone} and will be used if the target is not
	   specified. If other than the default target is used, all settings except interface and source are ignored, because the first rule
	   created in firewall for this zone is 'jump to target'.

   short
       Is an optional start and end tag and is used to give a zone a more readable name.

   description
       Is an optional start and end tag to have a description for a zone.

   interface
       Is an optional empty-element tag and can be used several times. It can be used to bind an interface to a zone. An interface entry has
       exactly one attribute:

       name="string"
	   The name of the interface to be bound to the zone.

   source
       Is an optional empty-element tag and can be used several times. It can be used to bind a source address or source address range to a zone.
       A source entry has exactly one attribute:

       address="address[/mask]"
	   The source to be bound to the zone. The source is either an IP address or a network IP address with a mask for IPv4 or IPv6. The
	   network family (IPv4/IPv6) will be automatically discovered. For IPv4, the mask can be a network mask or a plain number. For IPv6 the
	   mask is a plain number. The use of host names is not supported.

   service
       Is an optional empty-element tag and can be used several times to have more than one service entry enabled. A service entry has exactly one
       attribute:

       name="string"
	   The name of the service to be enabled. To get a list of valid service names firewall-cmd --list=services can be used.

   port
       Is an optional empty-element tag and can be used several times to have more than one port entry. All attributes of a port entry are
       mandatory:

       port="portid[-portid]"
	   The port can either be a single port number portid or a port range portid-portid.

       protocol="tcp|udp"
	   The protocol can either be tcp or udp.

   icmp-block
       Is an optional empty-element tag and can be used several times to have more than one icmp-block entry. Each icmp-block tag has exactly one
       mandatory attribute:

       name="string"
	   The name of the Internet Control Message Protocol (ICMP) type to be blocked. To get a list of valid ICMP types firewall-cmd
	   --list=icmptypes can be used.

   masquerade
       Is an optional empty-element tag. It can be used only once in a zone configuration and is not usable for IPv6. If it's present masquerading
       is enabled for the zone. If you want to enable masquerading, you should enable it in the zone bound to the external interface.

   forward-port
       Is an optional empty-element tag and can be used several times to have more than one port or packet forward entry. This is for IPv4 only.
       Use rich language rules for IPv6. There are mandatory and also optional attributes for forward ports:

       Mandatory attributes:
	   The local port and protocol to be forwarded.

	   port="portid[-portid]"
	       The port can either be a single port number portid or a port range portid-portid.

	   protocol="tcp|udp"
	       The protocol can either be tcp or udp.

       Optional attributes:
	   The destination of the forward. For local forwarding add to-port only. For remote forwarding add to-addr and use to-port optionally if
	   the destination port on the destination machine should be different.

	   to-port="portid[-portid]"
	       The destination port or port range to forward to. If omitted, the value of the port= attribute will be used altogether with the
	       to-addr attribute.

	   to-addr="address"
	       The destination IPv4 IP address.

   rule
       Is an optional element tag and can be used several times to have more than one rich language rule entry.

       The general rule structure:

	   <rule [family="ipv4|ipv6"]/>
	     [ <source address="address[/mask]" [invert="bool"]/> ]
	     [ <destination address="address[/mask]" [invert="bool"]/> ]
	     [
	       <service name="string"/> |
	       <port port="portid[-portid]" protocol="tcp|udp"/> |
	       <protocol value="protocol"/> |
	       <icmp-block name="icmptype"/> |
	       <masquerade/> |
	       <forward-port port="portid[-portid]" protocol="tcp|udp" [to-port="portid[-portid]"] [to-addr="address"]/>
	     ]
	     [ <log [prefix="prefixtext"] [level="emerg|alert|crit|err|warn|notice|info|debug"]/> [<limit value="rate/duration"/>] </log> ]
	     [ <audit> [<limit value="rate/duration"/>] </audit> ]
	     [ <accept/> | <reject [type="rejecttype"]/> | <drop/> ]
	   </rule>

       Rule structure for source black or white listing:

	   <rule [family="ipv4|ipv6"]/>
	     <source address="address[/mask]" [family="bool"]/>
	     [ <log [prefix="prefixtext"] [level="emerg|alert|crit|err|warn|notice|info|debug"]/> [<limit value="rate/duration"/>] </log> ]
	     [ <audit> [<limit value="rate/duration"/>] </audit> ]
	     <accept/> | <reject [type="rejecttype"]/> | <drop/>
	   </rule>

       For a full description on rich language rules, please have a look at firewalld.richlanguage(5).

SEE ALSO

       firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1), firewalld.conf(5), firewalld.direct(5), firewalld.icmptype(5),
       firewalld.lockdown-whitelist(5), firewall-offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5), firewalld.zone(5),
       firewalld.zones(5)

NOTES

       firewalld home page at fedorahosted.org:
	   http://fedorahosted.org/firewalld/

       More documentation with examples:
	   http://fedoraproject.org/wiki/FirewallD

AUTHORS

       Thomas Woerner <twoerner@redhat.com>
	   Developer

       Jiri Popelka <jpopelka@redhat.com>
	   Developer

firewalld 0.3.9 														 FIREWALLD.ZONE(5)
All times are GMT -4. The time now is 10:35 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy