Usually, default zone = public
So, to block all need to make default zone drop:
firewall-cmd --set-default-zone=drop
Then add the specific address to zone trusted:
firewall-cmd --permanent --add-source=$YOUR_IP --zone=trusted
and service ssh
firewall-cmd --permanent --add-service=ssh --zone=trusted
and specific interface to zone trusted:
firewall-cmd --permanent --zone=trusted --add-interface=eth0
save firewalld config:
firewall-cmd --reload
If you need to restrict access to port published by docker container :
firewall-cmd --permanent --direct --remove-chain ipv4 filter DOCKER-USER
firewall-cmd --permanent --direct --remove-rules ipv4 filter DOCKER-USER
firewall-cmd --permanent --direct --add-chain ipv4 filter DOCKER-USER
firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment 'Allow containers to connect to the outside world'
Add you docker network (in this case 172.17.0.0/16 ):
firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 1 -j RETURN -s 172.17.0.0/16 -m comment --comment 'allow internal docker communication'
Lets allow access to ports 8983 and 8443 from your home network 1.2.3.0/24:
firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 1 -o docker0 -p tcp -m multiport --dports 8983,8443 -s 1.2.3.0/24 -j ACCEPT -m comment --comment 'Allow Home IP to access to 8983,8443 docker ports'
firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 10 -j REJECT -m comment --comment 'reject all other traffic to DOCKER-USER'
If you need to allow access from work's address 2.3.4.5 to these ports:
firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 1 -o docker0 -p tcp -m multiport --dports 8983,8443 -s 2.3.4.5 -j ACCEPT -m comment --comment 'Allow work's IP to access to 8983,8443 docker ports'
firewall-cmd --reload
So, to block all need to make default zone drop:
firewall-cmd --set-default-zone=drop
Then add the specific address to zone trusted:
firewall-cmd --permanent --add-source=$YOUR_IP --zone=trusted
and service ssh
firewall-cmd --permanent --add-service=ssh --zone=trusted
and specific interface to zone trusted:
firewall-cmd --permanent --zone=trusted --add-interface=eth0
save firewalld config:
firewall-cmd --reload
If you need to restrict access to port published by docker container :
firewall-cmd --permanent --direct --remove-chain ipv4 filter DOCKER-USER
firewall-cmd --permanent --direct --remove-rules ipv4 filter DOCKER-USER
firewall-cmd --permanent --direct --add-chain ipv4 filter DOCKER-USER
firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment 'Allow containers to connect to the outside world'
Add you docker network (in this case 172.17.0.0/16 ):
firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 1 -j RETURN -s 172.17.0.0/16 -m comment --comment 'allow internal docker communication'
Lets allow access to ports 8983 and 8443 from your home network 1.2.3.0/24:
firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 1 -o docker0 -p tcp -m multiport --dports 8983,8443 -s 1.2.3.0/24 -j ACCEPT -m comment --comment 'Allow Home IP to access to 8983,8443 docker ports'
firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 10 -j REJECT -m comment --comment 'reject all other traffic to DOCKER-USER'
If you need to allow access from work's address 2.3.4.5 to these ports:
firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 1 -o docker0 -p tcp -m multiport --dports 8983,8443 -s 2.3.4.5 -j ACCEPT -m comment --comment 'Allow work's IP to access to 8983,8443 docker ports'
firewall-cmd --reload
Комментариев нет:
Отправить комментарий