How to use ipset with firewalld?
Let's do it.
First of all, let's check, have we any ipsets already?:
# firewall-cmd --get-ipsets
If no, create it:
for networks
# firewall-cmd --permanent --new-ipset=IP-whitelist --type=hash:net
for IP
# firewall-cmd --permanent --new-ipset=IP-whitelist --type=hash:ip
And now add network to whitelist:
# firewall-cmd --permanent --ipset=IP-whitelist --add-entry=172.27.0.0/16
and IP
# firewall-cmd --permanent --ipset=IP-whitelist --add-entry=172.28.1.18
And create rules for ports or services for that whiltelist:
# firewall-cmd --permanent --zone=public --add-rich-rule='rule source ipset="IP-whitelist" port protocol="tcp" port="80-90" accept'
# firewall-cmd --permanent --zone=public --add-rich-rule='rule source ipset="IP-whitelist" service name="ssh" accept'
If we have another rule for access to ssh service, need to remove it:
# firewalld-md --permanent --zone=public --remove-service=ssh
and apply changes:
#firewall-cmd --reload
Комментариев нет:
Отправить комментарий