Fedora 20 – How to use firewalld to only allow ssh from a range

fedorafedora-20firewalld

I have been seeing a lot of brute force attempts on a fedora box. How do I use firewalld to block all ssh traffic outside of a given range? I'm looking for something like the iptables:

iptables -A INPUT -p tcp --destination-port 22 -m iprange --src-range 192.168.1.100-192.168.1.200 -j ACCEPT

Best Answer

Also just as an alternative to Iptables. You can control the ssh access as followed

Edit your /etc/ssh/sshd_config

AllowUsers admin@192.169.1.100 admin@192.168.1.200 testadmin

--OR--

AllowUsers *@192.168.1.100 *@192.168.1.200

Restart sshd services.

Related Solutions

Firewalld: trouble forwarding port 25 while other ports forward just fine, “rich rule” logging shows NO entries

This problem has nothing to do with firewalld, though it DID illuminate a bug with firewalld logging.

The issue was that for the duration of the upgrade, I'd switched the default route of the internal system providing mail services to a different gateway / firewall, uninvolved in the upgrade. I had thought that this was a good idea because the new system was having problems, I thought.

When I returned the internal SMTP serving system to use the new gateway machine as its default route, it all started working! It turns out there's a requirement nobody tells you about - never yet found it documented, but now that I've found it, some old timers confirm - that either the default route has to be set to the same as where the packets are forwarded from OR you have to have special routes set up to return the packets in the same path from whence they came. THAT is the requirement: the return route must equal source route.

Good luck out there!

Firewalld service taking too long to reload (Fedora 20)

About troubleshooting, this explains how to enable debugging info in firewalld:

https://lists.fedorahosted.org/pipermail/firewalld-users/2013-February/000049.html

Maybe you could also try a:

# firewall-cmd --complete-reload

from firewall-cmd manpage:

Reload firewall completely, even netfilter kernel modules. This will most likely terminate active connections, because state information is lost. This option should only be used in case of severe firewall problems. For example if there are state information problems that no connection can be established with correct firewall rules.

If the --complete-reload turns out to be faster, could be in favor of your theory of the hanging connection.

Best Answer

Related Solutions

Firewalld: trouble forwarding port 25 while other ports forward just fine, “rich rule” logging shows NO entries

Firewalld service taking too long to reload (Fedora 20)

Related Topic