Posted by & filed under Uncategorized.

Firewalld replaces iptables in Redhat/Centos version 7.

I needed to allow ssh from all US based Amazon Web Service IPs, and block all of the nonsense hacking attempts.

Below is a quick script that generates the needed firewall rules.

It requires jq and wget.

"yum -y install jq wget"

But first… Having ssh in the public zone allows anyone to access it (the default)

So, add the ssh service and access for your own trusted IPs to the internal zone, and remove it from the public zone.

firewall-cmd --permanent --zone=internal --add-service=ssh
firewall-cmd --permanent --zone=internal --add-source=192.168.0.0/24
firewall-cmd --permanent --zone=public --remove-service=ssh

Now here’s the script to create the dmz zone.

Note it doesn’t use –permanent, so it should be run after –reload and at each reboot.

#!/bin/bash
# 
# Allow all Amazon Web Service IPs
# see http://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html 
#
cd /tmp/
\rm -f ip-ranges.json
/bin/wget https://ip-ranges.amazonaws.com/ip-ranges.json
for i in `/bin/jq -r '.prefixes[] | \
    select(.region=="us-east-1"), \ 
    select(.region=="us-west-1"), \
    select(.region=="us-west-2"), \
    select(.region=="us-gov-west-1") | \
    .ip_prefix' < ip-ranges.json | \
    sort -u`; do \
        /bin/firewall-cmd --zone=dmz --add-source=$i
done

To make this run at startup, after everything else, you’ll need a systemd service file.

Create: /etc/systemd/system/lastservice.service with these contents:

[Unit]
Description=Last service
After=default.target

[Service]
Type=oneshot
ExecStart=/usr/local/sbin/lastservice

[Install]
WantedBy=default.target

 

Then, run these command to enable the new service on boot.

systemctl daemon-reload
systemctl enable lastservice

 

That’s it. You can verify that it is running last by running “systemd-analyze plot >image.svg”

 

Leave a Reply

  • (will not be published)