There are articles that go bad, but trying to do this pinpointed was quite a hassle, so I will focus on this topic.
Enable firewall service
systemctl enable firewalld.service
Start the firewall service
systemctl start firewalld.service
View allowed services
firewall-cmd --list-services --zone=public
ssh is allowed by default, but this time it will be limited so remove it from the service
firewall-cmd --remove-service=ssh --zone=public --permanent
Only specific IP address (192.168.11.29 here) is allowed by rich rule
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="192.168.11.29" port protocol="tcp" port="22" accept"
Reload
firewall-cmd --reload
Check settings
[root@localhost ~]# firewall-cmd --list-all --zone=public
public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3
sources:
services: cockpit dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="192.168.11.29" port port="22" protocol="tcp" accept
Scan the port with nmap from the terminal that is allowed to connect and the terminal that is not allowed to connect, and confirm that the number 22 can be seen only from the terminal that is allowed to connect.
[kimisyo@localhost ~]$ nmap -p 1-500 192.168.11.24
Starting Nmap 7.70 ( https://nmap.org ) at 2020-10-04 12:06 JST
Nmap scan report for 192.168.11.24
Host is up (0.62s latency).
Not shown: 498 filtered ports
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 38.56 seconds
Recommended Posts