Added firewalld to Amazon Linux 2 (IP address restrictions)
Related URL
-CentOS 7 firewalld Frequently used commands --Qiita ← Great! -Three ways to limit IP addresses on AWS
Does Amazon Linux 2 require firewalld?
Many of the articles that are displayed at the top when you google with amazon linux + firewalld say," Amazon Linux 2 has a security group and network ALC with equivalent functions (and it blocks in front of the server), so firewalld Do not use. "
However, there is the following problem when you want to refuse the connection of a specific IP address.
--Security group: Whitelist method (can be set to "permit". Deny cannot be specified) --Network ACL: "Reject" can be set. (Also permission). There is an upper limit (20) to the number that can be set. --ALB ・ ・ ・ Blacklist method. HTTP / HTTPS only
Therefore, if you want to limit the IP to more than 20, firewalld comes into play.
Environment / Premise
--As of October 20, 2020 / EC2 in the Tokyo region
--OS is Amazon Linux and yum update completed
--The security group assigned to EC2 has permission to access the inbound port.
--In the case of this article, ssh (22), http (80), https (443)
Introduction
Installation
yum install firewalld
Persistence (automatically started when the server is restarted)
systemctl enable firewalld.service
start
systemctl start firewalld.service
Status check => OK if Active
systemctl status firewalld.service
Limited services available (ssh / http / https)
public {Add to the zone. It is a whitelist method. Don't forget to reload at the end. (No need for systemctl reload firewalld`)
firewall-cmd --add-service=http --zone=public --permanent
firewall-cmd --add-service=https --zone=public --permanent
firewall-cmd --add-service=ssh --zone=public --permanent
firewall-cmd --reload
--Permanent: Valid even if the server is restarted
IP address restrictions
Specify the address in the drop zone. It is a blacklist method.
firewall-cmd --zone=drop --permanent --add-source=<IP address range/CIDR>
firewall-cmd --reload
Operation check
--get-active-zone
In my environment, running --get-active-zone did not return any results. Same with --reload.
I'm worried, but in fact firewalld is still working in this state. (It is now displayed when the server is rebooted (# reboot))
| Expected result | Actual result |
|---|---|
| # firewall-cmd --get-active-zone drop sources: public interfaces: eth0 |
# firewall-cmd --get-active-zone |
--list-all
Again, the interfaces was empty and I was worried, but it was working. (This is also displayed when the server is restarted)
(Uneasy) display before restarting the server
# firewall-cmd --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client https http
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Valid service confirmation (firewall-cmd --list-services)
This was displayed without restarting the server.
# firewall-cmd --list-services
ssh dhcpv6-client https http
Dhcpv6-clientis a service that has been enabled from the beginning.
Operation check
Check if the intended operation is performed while adding or deleting to the public zone and drop zone.
If you log out everything after removing ssh from public, it's bad (isn't it?), So be careful not to remove it.
Recommended Posts