0

In a CentOS 7 web server, how do I configure firewalld to block all but a specific list of ip addresses from making successful http or https requests?

I know that I can use httpd.conf to restrict by ip, but how can I get firewalld to restrict by ip? What file? Do I use firewall-cmd? What syntax?

I imagine this involves creating one or more rich rules, which are described in the documentation. But I want to make sure that I do this properly. For example, would one rule specify rejecting all http/s requests from anyone? And then would another rule be required to approve http/s requests for each specific ip? Would the rule be for the service http/s, or would the rule be for the port 443? Or some combination? What about logging the rejections and acceptances?

Braiam
  • 35,380
  • 25
  • 108
  • 167
CodeMed
  • 5,079
  • 45
  • 100
  • 147
  • Firstly we'll need a bit of information about what is set-up currently in your firewall, can you post the output of the following commands; ```firewall-cmd --state``` & ```firewall-cmd --get-active-zones``` – Chris Davidson Dec 30 '14 at 07:16

1 Answers1

0

I don't like FirewallD, so i replace it with the old iptables service,

I would do this like that,

  • Create a new chain, let call it ALLOW_TO_HTTP

    iptables -N ALLOW_TO_HTTP

  • Then add all the IP address you like to allow to this chain

    iptable -I ALLOW_TO_HTTP -j ACCEPT -s 1.2.3.4

  • Then in your INPUT table add the line to point to the above chain for new connection on ports 80 & 443.

    iptables -I INPUT -p tcp -m multiport --dports 80,443 -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j ALLOW_TO_HTTP

The above rule will redirect all new connection on ports 443&80 to the ALLOW_TO_HTTP chain, and if there is any match for IP the connection will be ACCEPT-ed.

for best practice you will need to find the right line to put the 3rd rule, as you don't want it as your first rule in your iptables. you can acmplish this by specifying to which line to insert the rule: e.g

iptables -I INPUT 4 ...

This will insert the rule into line 4.

You can list the rules line numbers with:

iptables -nvL --line-numbers
Rabin
  • 3,818
  • 1
  • 21
  • 23
  • It might be useful to use ipset in this case. – Pavel Šimerda Dec 30 '14 at 10:15
  • For small lists i don't like to use ipset, more over head to manage them (no build in script to load and save them). I use ipset when i need to work with many (>20) address. – Rabin Dec 30 '14 at 14:30
  • Is it because of the lack of tools? For example in Mikrotik routers (Linux based but with own GUI/WebUI) I've seen people using address lists even for small lists as they're easier to manage. – Pavel Šimerda Dec 30 '14 at 14:44