Firewalld with an IP alias (eth0:0)

centos7firewalld

(Solution found, see below…)

The server (CentOS 7) has multiple public IPs, these are set up via the usual ifcfg-eth0:0 config files and are working fine. I'm trying to adapt to firewalld (coming from iptables). I like to be able to specify open ports per IP alias – with iptables this was done simply by setting the destination IP to match whatever alias needed the port.

I thought with firewalld I could apply a different zone to each interface to achieve the same effect, however it seems I cannot do so.

We start with:

# firewall-cmd --get-active-zones
public
  interfaces: eth0 eth0:0
trusted
  interfaces: eth1

I created a new zone public_web that I wanted to use for eth0:0

# firewall-cmd --permanent --new-zone=public_web
success
# firewall-cmd --permanent --zone=public_web --add-service=http
success
# firewall-cmd --permanent --zone=public_web --add-interface=eth0:0
success
# firewall-cmd --reload
success

But… 

# firewall-cmd --get-active-zones
public
  interfaces: eth0 eth0:0
trusted
  interfaces: eth1

I tried --remove-interface, --change-interface and various other commands in various orders, but eth0:0 won't budge. I can't seem to find any documentation anywhere about using aliases, so I'm not sure if this is even the correct way of achieving what I'd like?

Thanks all.

Solution:

The solution is to use the destination tag in a service file, it can only be used once per service.

So let's say you want port 443 on 87.98.256.512, make a copy of the https.xml file (recommend you don't touch originals) to /etc/firewalld/services, here I'll use https-admin.xml

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>HTTPS for 87.98.256.512</short>
  <description>...</description>
  <port protocol="tcp" port="443"/>
  <destination ipv4="87.98.256.512" />
</service>

Then

# firewall-cmd --permanent --zone=public --add-service=https-admin
success
# firewall-cmd --reload
success
# firewall-cmd --zone=public --list-services
http https-admin

And finally confirm this with iptables

Chain IN_public_allow (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            87.98.256.512        tcp dpt:443 ctstate NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 ctstate NEW

Remember: only one destination tag per service, so just make multiple services if that's your requirement.

Best Answer

The entire interface aliasing functionality is left over from the past. It doesn't actually create a separate interface. You haven't needed to use aliases to assign multiple IPs to a single interface for a long time. Because it isn't a 'real' interface, your firewall software cannot treat it like a real interface. If you use the ip addr command you will see that the addresses are all assigned to the main interface, and the eth0:0 is simply considered to be a label for that address.

With all that in mind, I am not entirely sure what you need to do to adjust your firewall. I suspect you may need to specify ports by IP, and not by the IP address and not the alias.

Related Topic