четверг, 29 октября 2020 г.

Firewalld and ipset

 How  to use ipset with firewalld?

Let's do it.

First of all, let's check, have we any ipsets already?:

# firewall-cmd --get-ipsets

If no, create it:
for networks

# firewall-cmd --permanent --new-ipset=IP-whitelist --type=hash:net

for IP

# firewall-cmd --permanent --new-ipset=IP-whitelist --type=hash:ip

And now add network to whitelist:

# firewall-cmd --permanent --ipset=IP-whitelist --add-entry= 

and IP

# firewall-cmd --permanent --ipset=IP-whitelist --add-entry= 

And create rules for ports or services for that whiltelist:

# firewall-cmd --permanent --zone=public --add-rich-rule='rule source ipset="IP-whitelist" port protocol="tcp" port="80-90" accept'
# firewall-cmd --permanent --zone=public --add-rich-rule='rule source ipset="IP-whitelist" service name="ssh" accept'

If we have another rule for access to ssh service, need to remove it:

# firewalld-md --permanent --zone=public --remove-service=ssh

and apply changes:

#firewall-cmd --reload