Posted by & filed under Uncategorized.

Firewalld replaces iptables in Redhat/Centos version 7.

I needed to allow ssh from all US based Amazon Web Service IPs, and block all of the nonsense hacking attempts.

Below is a quick script that generates the needed firewall rules.

It requires jq and wget.

"yum -y install jq wget"

But first… Having ssh in the public zone allows anyone to access it (the default)

So, add the ssh service and access for your own trusted IPs to the internal zone, and remove it from the public zone.

firewall-cmd --permanent --zone=internal --add-service=ssh
firewall-cmd --permanent --zone=internal --add-source=
firewall-cmd --permanent --zone=public --remove-service=ssh

Now here’s the script to create the dmz zone.

Note it doesn’t use –permanent, so it should be run after –reload and at each reboot.

# Allow all Amazon Web Service IPs
# see 
cd /tmp/
\rm -f ip-ranges.json
for i in `/bin/jq -r '.prefixes[] | \
    select(.region=="us-east-1"), \ 
    select(.region=="us-west-1"), \
    select(.region=="us-west-2"), \
    select(.region=="us-gov-west-1") | \
    .ip_prefix' < ip-ranges.json | \
    sort -u`; do \
        /bin/firewall-cmd --zone=dmz --add-source=$i

To make this run at startup, after everything else, you’ll need a systemd service file.

Create: /etc/systemd/system/lastservice.service with these contents:

Description=Last service




Then, run these command to enable the new service on boot.

systemctl daemon-reload
systemctl enable lastservice


That’s it. You can verify that it is running last by running “systemd-analyze plot >image.svg”