Centos 7.1 Firewalld source address restriction

t1nkerer asked:

I have a centos 7.1 and firewalld installed.

There are 4 distinct services on that server: mysqld, mongod, jabberd, httpd

I need to configure that server to allow connections to jabberd and httpd from anywhere and mysqld and mongod from 2 addresses,

At the moment the public zone is active and default, bond interface is assigned here. httpd and jabberd are there and everything is working.

I have tried creating my own zone with specific sources and mongod/mysqld. I have also tried adding that to existing “trusted”/”internal” zones. But services are not reachable in this way. The only way to reach those services is to add them to “public”.

I even tried to add rich rules to that public zone to allow those services from specific addresses. Still fails.

My answer:

Zones are defined by interface, source address, or both. This is the most confusing part of firewalld, but once you get it everything else is pretty easy.

What you want to do is define a completely new zone, set the source addresses on that zone, then open the destination ports on that zone that those source addresses should reach.

For ports that should be open to anywhere, it’s fine to add them to the existing public zone.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.