суббота, 25 апреля 2020 г.

Firewalld how to block all but allow specific

Usually, default zone = public

So, to block all  need to make default zone drop:

firewall-cmd  --set-default-zone=drop

Then add the specific address to zone trusted:

firewall-cmd --permanent --add-source=$YOUR_IP --zone=trusted

and service ssh

firewall-cmd --permanent --add-service=ssh --zone=trusted

and specific interface to zone trusted:

firewall-cmd --permanent --zone=trusted --add-interface=eth0

save firewalld config:

firewall-cmd --reload


If you need to restrict access to port published by docker container :

firewall-cmd --permanent --direct --remove-chain ipv4 filter DOCKER-USER
firewall-cmd --permanent --direct --remove-rules ipv4 filter DOCKER-USER
firewall-cmd --permanent --direct --add-chain ipv4 filter DOCKER-USER
firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment 'Allow containers to connect to the outside world'

Add you docker network (in this case 172.17.0.0/16 ):

firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 1 -j RETURN -s 172.17.0.0/16 -m comment --comment 'allow internal docker communication'

Lets allow access to ports 8983 and 8443 from your home network 1.2.3.0/24:

firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 1 -o docker0 -p tcp -m multiport --dports 8983,8443 -s 1.2.3.0/24 -j ACCEPT -m comment --comment 'Allow Home IP to access to 8983,8443 docker ports'
firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 10 -j REJECT -m comment --comment 'reject all other traffic to DOCKER-USER'

If you need to allow access from work's address 2.3.4.5 to these ports:

firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 1 -o docker0 -p tcp -m multiport --dports 8983,8443 -s 2.3.4.5  -j ACCEPT -m comment --comment 'Allow work's IP to access to 8983,8443 docker ports'

firewall-cmd --reload




Комментариев нет:

Отправить комментарий