[SOLVED] firewalld block ip ranging but allow single ip

packetsmacker · 01-27-2016, 10:24 AM

So I need the following.

allow 192.168.1.5 http
deny 192.168.1.0\24 http

So here are my firwalld command.

Code:

firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address="192.168.1.5" service name="http" accept'
firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address="192.168.1.0/24" service name="http" drop'

if i apply the first rule everyone gets in.If I apply both rules no one gets in. Basically I only want one IP getting to the web site.

lazydog · 01-27-2016, 12:11 PM

Have you tried only to add the first rule without the second? I believe others are blocked by default, but don't quote me on this as I haven't worked with firewalld.

packetsmacker · 01-27-2016, 12:45 PM

That did it. I swear I had tried that before. Thanks

packetsmacker · 01-27-2016, 01:32 PM

ok maybe this isnt solved.

I added a log rule now everyone can access it. Here is my output

Code:

firewall-cmd --list-all
public (default, active)
  interfaces: enp0s3
  sources: 
  services: dhcpv6-client ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
	rule family="ipv4" service name="http" log prefix="httpd" level="debug" limit value="1/m" accept
	rule family="ipv4" source address="192.168.1.5" service name="http" accept

packetsmacker · 01-27-2016, 02:01 PM

I removed all those rules and added this one.

rule family="ipv4" source address="192.168.1.5" service name="http" log prefix="httpd" level="info" limit value="1/m" accept

Now only 1.5 can get to the site and it gets a log in /var/log/message. I don't see any log for ips other then 1.5. I need to log all request to the web site.

lazydog · 01-28-2016, 08:11 AM

Have you tried adding the logging rule after the access rule?

packetsmacker · 01-28-2016, 09:48 AM

I would love to but I have tried adding and removing them in different orders but they always end up like this.

rule family="ipv4" service name="http" log prefix="httpd" level="info" limit value="1/m" accept
rule family="ipv4" source address="192.168.1.5" service name="http" accept

This way everyone gets in and it gets logged. I tried adding the log with a drop instead of accept but it blocks everyone again. I am going to remove the log rule and come back to this when I have time.

Thanks lazydog for your help.

packetsmacker · 01-28-2016, 02:14 PM

I couldn't resist I had to try again.

This works.

firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" service name="http" log prefix="httpd" level="info" limit value="1/m"' --permanent

Removing accept seems to have fixed it.