[CENTOS] Allow ssh only for specific IP addresses with firewalld

Introduction

There are articles that go bad, but trying to do this pinpointed was quite a hassle, so I will focus on this topic.

environment

procedure

Enable firewall service

systemctl enable firewalld.service

Start the firewall service

systemctl start firewalld.service

View allowed services

firewall-cmd --list-services --zone=public

ssh is allowed by default, but this time it will be limited so remove it from the service

firewall-cmd --remove-service=ssh --zone=public --permanent

Only specific IP address (192.168.11.29 here) is allowed by rich rule

firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="192.168.11.29" port protocol="tcp" port="22" accept"

Reload

firewall-cmd --reload

Check settings

[root@localhost ~]# firewall-cmd --list-all --zone=public
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp0s3
  sources:
  services: cockpit dhcpv6-client
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
        rule family="ipv4" source address="192.168.11.29" port port="22" protocol="tcp" accept

Check by port scan from another terminal

Scan the port with nmap from the terminal that is allowed to connect and the terminal that is not allowed to connect, and confirm that the number 22 can be seen only from the terminal that is allowed to connect.

[kimisyo@localhost ~]$ nmap -p 1-500 192.168.11.24
Starting Nmap 7.70 ( https://nmap.org ) at 2020-10-04 12:06 JST
Nmap scan report for 192.168.11.24
Host is up (0.62s latency).
Not shown: 498 filtered ports
PORT    STATE SERVICE
22/tcp  open  ssh

Nmap done: 1 IP address (1 host up) scanned in 38.56 seconds

reference

Recommended Posts

Allow ssh only for specific IP addresses with firewalld
[Linux] Allow / block access from specific IP addresses and port numbers with iptables
Did you know that you can port forward with ssh for IP aliases?
Manually ssh registration for coreserver with python
Limit ssh with iptables for each user