In a CentOS 7 web server that needs to remain totally closed to the public, I need to block all ip addresses and then only allow specified ip addresses to access specified services. How can I configure Firewalld to accomplish this?
I read this other posting, but it does not seem to address my use case because it speaks mainly of giving blanket access to specific ip addresses rather than giving different types of access to different ip addresses. The other posting does not address the question of email. Also, the other posting seems to assume using lockdown mode. My question asks whether or not to use lockdown mode for this use case.
Four services need to be enabled on the server.
1.) ssh access only to one administrator at either of 2 ip addresses
2.) https access only to 30 ip addresses of users, including administrator
3.) encrypted emails:
sent to the 30 users who have https access
sent to and received from another list of known email addresses
4.) encrypted ftp upload from another list of known ip addresses
All other inbound and outbound access needs to be blocked.
Do I have to set Lockdown=yes to accomplish this?
Also, do I then add in each user as follows:
rule family="ipv4" source address="192.168.0.0" service name="tftp" log prefix="tftp" level="info" limit value="1/m" accept
rule family="ipv4" source address="192.235.89.45" service name="https" accept
rule family="ipv4" source address="192.235.89.45" service name="ssh" accept
rule family="ipv4" source address="192.987.376.97" service name="https" accept
Currently, firewall-cmd --list-all returns the following:
public (default, active)
interfaces: enp3s0
sources:
services: dhcpv6-client https ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
