(Solution found, see below…)
The server (CentOS 7) has multiple public IPs, these are set up via the usual ifcfg-eth0:0
config files and are working fine. I'm trying to adapt to firewalld (coming from iptables). I like to be able to specify open ports per IP alias – with iptables this was done simply by setting the destination IP to match whatever alias needed the port.
I thought with firewalld I could apply a different zone to each interface to achieve the same effect, however it seems I cannot do so.
We start with:
# firewall-cmd --get-active-zones
public
interfaces: eth0 eth0:0
trusted
interfaces: eth1
I created a new zone public_web
that I wanted to use for eth0:0
# firewall-cmd --permanent --new-zone=public_web
success
# firewall-cmd --permanent --zone=public_web --add-service=http
success
# firewall-cmd --permanent --zone=public_web --add-interface=eth0:0
success
# firewall-cmd --reload
success
But…
# firewall-cmd --get-active-zones
public
interfaces: eth0 eth0:0
trusted
interfaces: eth1
I tried --remove-interface
, --change-interface
and various other commands in various orders, but eth0:0
won't budge. I can't seem to find any documentation anywhere about using aliases, so I'm not sure if this is even the correct way of achieving what I'd like?
Thanks all.
Solution:
The solution is to use the destination
tag in a service file, it can only be used once per service.
So let's say you want port 443 on 87.98.256.512, make a copy of the https.xml
file (recommend you don't touch originals) to /etc/firewalld/services
, here I'll use https-admin.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>HTTPS for 87.98.256.512</short>
<description>...</description>
<port protocol="tcp" port="443"/>
<destination ipv4="87.98.256.512" />
</service>
Then
# firewall-cmd --permanent --zone=public --add-service=https-admin
success
# firewall-cmd --reload
success
# firewall-cmd --zone=public --list-services
http https-admin
And finally confirm this with iptables
Chain IN_public_allow (1 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 87.98.256.512 tcp dpt:443 ctstate NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate NEW
Remember: only one destination
tag per service, so just make multiple services if that's your requirement.
Best Answer
The entire interface aliasing functionality is left over from the past. It doesn't actually create a separate interface. You haven't needed to use aliases to assign multiple IPs to a single interface for a long time. Because it isn't a 'real' interface, your firewall software cannot treat it like a real interface. If you use the
ip addr
command you will see that the addresses are all assigned to the main interface, and theeth0:0
is simply considered to be a label for that address.With all that in mind, I am not entirely sure what you need to do to adjust your firewall. I suspect you may need to specify ports by IP, and not by the IP address and not the alias.