The host with IP address 172.168.2.0 ain't welcome to communicate with the
VM, at least not over port 22, so we want to close that door. Okay, sounds
like we need to recruit the services of the firewall service (firewalld).
Let's start by executing the following command:
# firewall-cmd --zone=public --permanent --add-rich-rule='rule family="ipv4"
protocol="tcp" port="22" source-address="172.168.2.0" reject'
Notes:
- The command above is shown on two lines, but it is only one (1) command.
- Please pay close attention to the single and double quotation marks.
Now, let me offer a little explanation to some of the pieces in the firewall-cmd
command above:
--zone=public - Applies the rule to the "public" zone, which is typically used for
external network access
--permanent - Makes the rule persistent across system reboots
--add-rich-rule - Allows for a more detailed rule definition
--rule family="ipv4" - Specifies that the rule applies to IPv4 traffic
--protocol="tcp" - Filters only TCP traffic
--port="22" - Targets port 22 (SSH)
--source-address="172.168.2.0" - Defines the specific IP address to block/deny
--reject - Instructs the firewall to send a "reject" packet back to the source when
a connection attempt is made
After executing the lengthy command, you'll then have to activate that rule to the
firewall service, by executing the following command:
# firewall-cmd --reload
If you like, you can verify that the rule did in fact get added to the list of firewall
rules, using the following command:
# firewall-cmd --list-rich-rules
- This command will display all firewall rules, including the one previously added
Okay, that should achieve what we're wanting to do - block/deny SSH connections
to the VM, from host 172.168.2.0.
Trevor "Red Hat Evangelist" Chandler
