Comments on: Useful ‘FirewallD’ Rules to Configure and Manage Firewall in Linux https://www.tecmint.com/firewalld-rules-for-centos-7/ Tecmint - Linux Howtos, Tutorials, Guides, News, Tips and Tricks. Mon, 27 May 2024 06:47:33 +0000 hourly 1 By: Ahmed https://www.tecmint.com/firewalld-rules-for-centos-7/comment-page-1/#comment-2174437 Mon, 27 May 2024 06:47:33 +0000 http://www.tecmint.com/?p=11427#comment-2174437 In reply to Oppa.

Yes, you can certainly add networks in CIDR notation like ‘172.5.0.0/24’ to the firewall rules.

Here’s how you would modify the commands to allow SSH access from a specific network range:

# Allow SSH connections from specific IP addresses or networks
sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="IP_ADDRESS_1" port protocol="tcp" port="22" accept'
sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="IP_ADDRESS_2" port protocol="tcp" port="22" accept'
sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="172.5.0.0/24" port protocol="tcp" port="22" accept'
# Add similar rules for other IP addresses or networks if needed

# Drop SSH connections from all other IP addresses
sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="NOT_IP_ADDRESS_1" reject'
sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="NOT_IP_ADDRESS_2" reject'
# Add similar rules for other IP addresses if needed

# Reload firewall to apply changes
sudo firewall-cmd --reload

Just replace ‘IP_ADDRESS_1’, ‘IP_ADDRESS_2’, etc., with the specific IP addresses you want to allow SSH access from, or replace ‘172.5.0.0/24’ with the desired network range.

All other connections will be rejected by the firewall.

]]> By: Ahmed https://www.tecmint.com/firewalld-rules-for-centos-7/comment-page-1/#comment-2174436 Mon, 27 May 2024 06:46:27 +0000 http://www.tecmint.com/?p=11427#comment-2174436 In reply to Naushad Ahmad.

Sure, I understand your requirement now.

To achieve this, you can use the firewall-cmd command to configure the firewall rules on your Linux server.

Here’s how you can set it up to allow only specific IP addresses to access your server via SSH:

# Allow SSH connections from specific IP addresses
sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="IP_ADDRESS_1" port protocol="tcp" port="22" accept'
sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="IP_ADDRESS_2" port protocol="tcp" port="22" accept'
sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="IP_ADDRESS_3" port protocol="tcp" port="22" accept'
sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="IP_ADDRESS_4" port protocol="tcp" port="22" accept'
sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="IP_ADDRESS_5" port protocol="tcp" port="22" accept'

# Drop SSH connections from all other IP addresses
sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="NOT_IP_ADDRESS_1" reject'
sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="NOT_IP_ADDRESS_2" reject'
# Add similar rules for other IP addresses if needed

# Reload firewall to apply changes
sudo firewall-cmd --reload

Replace ‘IP_ADDRESS_1’, ‘IP_ADDRESS_2’, etc., with the actual IP addresses you want to allow SSH access from. Also, replace ‘NOT_IP_ADDRESS_1’, ‘NOT_IP_ADDRESS_2’, etc., with the IP addresses you want to block.

After executing these commands, only the specified IP addresses will be able to access your Linux server via SSH, while all other connections will be rejected by the firewall. Make sure to adjust the rules according to your specific requirements.

]]> By: Naushad Ahmad https://www.tecmint.com/firewalld-rules-for-centos-7/comment-page-1/#comment-914572 Wed, 20 Sep 2017 12:53:47 +0000 http://www.tecmint.com/?p=11427#comment-914572 In reply to Babin Lonston.

Thanks Babin for your kind response. Now I have got it. Doing this will automatically block all the other users except those which are added by add- source option, right?

But I didn’t get why I need to remove my interface.

]]> By: Babin Lonston https://www.tecmint.com/firewalld-rules-for-centos-7/comment-page-1/#comment-914463 Tue, 19 Sep 2017 17:53:09 +0000 http://www.tecmint.com/?p=11427#comment-914463 In reply to Naushad Ahmad.

@Naushad,

We assume your 5 IP’s are in 192.168.1.x range.

# firewall-cmd --zone=public --add-source=192.168.1.1
# firewall-cmd --zone=public --add-port=22/tcp
# firewall-cmd --zone=public --add-source=192.168.1.2
# firewall-cmd --zone=public --add-port=22/tcp
# firewall-cmd --zone=public --remove-interface=eno16777728
# firewall-cmd --reload

Thanks & Regards,
Babin Lonston

]]> By: Naushad Ahmad https://www.tecmint.com/firewalld-rules-for-centos-7/comment-page-1/#comment-914280 Mon, 18 Sep 2017 11:36:38 +0000 http://www.tecmint.com/?p=11427#comment-914280 In reply to Bobin Lonston.

Babin,

I followed the url you have provided in your above comment. Looking at that I think I was not able to brief my problem.

Actually I have a Linux server on a network. I have 100s of other computers (running windows) on the same network. All of them can access my server but I want to allow only 5 I.P.s (i.e. 5 other computers) which are on the same network to access my Linux server using ssh. So I want to set up a firewall-cmd rule so that apart from those 5 I.P.s no one on the network would be able to access my Linux server. How can I do that?

Once again thanks for your earlier response.

]]>