cancel
Showing results for 
Search instead for 
Did you mean: 
t3kg33k
Flight Engineer Flight Engineer
Flight Engineer
  • 2,878 Views

RH254: Firewalld rich rules with port forward issue

Jump to solution

Hopefully I am posting this is the right area as this is my first time posting...

I've run into a weird issue where my rich rule doesn't seem to be working. I'm even following along, sort of, in the RH254 student workbook entering in, pretty much, the exact command and it doesn't seem be working in my home lab running CentOS 7.6.

The point of the exercise, I believe, is to only allow one client to connect via ssh on a non-standard port. The command is this:

firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=192.168.15.10/24 forward-port port=42434 protocol=tcp to-port=22'

I've, of course, enter the reload and have confirmed the rule is listed in the public zone.

public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="192.168.15.10/24" forward-port port="42434" protocol="tcp" to-port="22"

I have confirmed that the IP address can still connect on the standard port 22 and on port 42434, however other clients can still ssh to the server.

What am I doing wrong? Am I not understanding the point of the exercise? I thought the point was that only the client at 192.168.15.10 could connect and only on port 42434 while other clients were denied?

0 Kudos
1 Solution

Accepted Solutions
littlebigfab
Starfighter Starfighter
Starfighter
  • 2,858 Views

Hi @t3kg33k and welcome to the RHLC ! :)

 

Your rule does exactly what it reads, nothing more :

rule family=ipv4 source address=192.168.15.10/24 forward-port port=42434 protocol=tcp to-port=22

 

In other words : for any ipv4 incoming connection from 192.168.15.10/24 to local port tcp 42434, then redirect that connection to local port tcp 22.

If you want to prevent tcp 22 to be directly reached from the outside word, you're going to need a second rule for that purpose.

 

Also note that 192.168.15.10/24 is not the single host 192.168.15.10 but actually the whole subnet 192.168.15.0/24. The single host would rather be 192.168.15.10/32 or just 192.168.15.10.

 

View solution in original post

2 Replies
littlebigfab
Starfighter Starfighter
Starfighter
  • 2,859 Views

Hi @t3kg33k and welcome to the RHLC ! :)

 

Your rule does exactly what it reads, nothing more :

rule family=ipv4 source address=192.168.15.10/24 forward-port port=42434 protocol=tcp to-port=22

 

In other words : for any ipv4 incoming connection from 192.168.15.10/24 to local port tcp 42434, then redirect that connection to local port tcp 22.

If you want to prevent tcp 22 to be directly reached from the outside word, you're going to need a second rule for that purpose.

 

Also note that 192.168.15.10/24 is not the single host 192.168.15.10 but actually the whole subnet 192.168.15.0/24. The single host would rather be 192.168.15.10/32 or just 192.168.15.10.

 

t3kg33k
Flight Engineer Flight Engineer
Flight Engineer
  • 2,854 Views

Thanks.

Yeah, in my troubleshooting steps I tried with just the single host and with /32 but it still didn't work.

The exercise doesn't call for creating a second rule to prevent port 22. But, I did remove ssh service from firewalld (didn't create another rich rule) and I was successful in the connection on port 42434 only from that designated IP. Now I know.

Thanks for the assist.

0 Kudos
Join the discussion
You must log in to join this conversation.