firewalld allow ssh only from one predefined IP host or AS number net

Question

I am using CentOS Linux release 7.9.2009 in minimal installation and firewalld .

[root@centosmin firewalld]# uname -a
Linux centosmin 3.10.0-1160.6.1.el7.x86_64 #1 SMP Tue Nov 17 13:59:11 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

There are similar question i.e. here but none of the responses there work. I would like to do that without using reach rules.

The target it to allow ssh only from one particular IP address on the internet. In order to simulate this behavior i have setup a lab with 3 machines in different vlans and setup routing between them in my internal network.

The server in this case is the

10.192.210.10/24

and two ssh clients:

10.192.52.50/24
10.192.57.6/24

Now i have created my own internet facing zone and made it default using the commands

//create new zone called internet
firewall-cmd  --permanent --new-zone=internet
// add the only ip address that should be able to connect to ssh
firewall-cmd --zone=internet --add-source=10.192.57.6/32
firewall-cmd --zone=internet --add-service=ssh
// here i make sure that i manually add the interface if it is not already add it and then remove it
firewall-cmd --zone=internet –add-interface=ens3
firewall-cmd --zone=internet --remove-interface=ens3
firewall-cmd --zone=internet --set-target=DROP
firewall-cmd --set-default-zone=internet
// save the current runtime to premanent rules
firewall-cmd --runtime-to-permanent
firewall-cmd --reload

after that my only one network interface look like

[root@centosmin firewalld]# firewall-cmd --list-all 
internet (active) 
 target: DROP 
 icmp-block-inversion: no 
 interfaces:  
 sources: 10.192.57.6/32 
 services: ssh 
 ports:  
 protocols:  
 masquerade: no 
 forward-ports:  
 source-ports:  
 icmp-blocks:  
 rich rules:

however i am still able to connect to ssh from the 10.192.52.50/32 host. What i am missing here

the iptables -nvL -t filter command tells me that there a multiple chains that are still accept . Should that not be set to DROP? And if so how to set it to reject all traffic except from the host 10.192.57.6/32

[root@centosmin firewalld]# iptables -nvL -t filter 
Chain INPUT (policy ACCEPT 0 packets, 0 bytes) 
pkts bytes target     prot opt in     out     source               destination          
 459 34244 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED 
   0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            
   0     0 INPUT_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0            
   0     0 INPUT_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0            
   0     0 INPUT_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0            
   0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID 
   0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

a direct link from RedHat tells us that in order to do that we need to set the target. But i already did that in the previous step and i am still able to connect from 10.192.52.50/32 which is not the expected behavior.

Addition adding requested output of the command

[root@centosmin firewalld]# firewall-cmd --list-all-zones
block
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:
dmz
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:
drop
  target: DROP
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:
external
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh
  ports: 
  protocols: 
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:
home
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client mdns samba-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:
internal
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client mdns samba-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:
internet (active)
  target: DROP
  icmp-block-inversion: no
  interfaces: 
  sources: 10.192.57.6/32
  services: ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 10.192.57.6
  services: ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:
trusted
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:
work
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

firewalld allow ssh only from one predefined IP host or AS number net

0 Answers0