How to Enable IP Whitelist Using FirewallD
Firewalld is a firewall management solution available for many Linux distributions that acts as a front-end to the iptables packet filtering system provided by the Linux kernel.
In this tutorial, we introduce how to set up a firewall for the server and use the firewall-cmd management tool to manage the firewall and add IP whitelists.
Basic concepts in Firewalld
zone
A zone is basically a set of rules that determine what traffic is allowed, depending on how much you trust the network your computer is connected to. A network interface is assigned a zone to indicate the behavior that the firewall should allow.
Firewalld generally has 9 built-in zones by default. In most cases, these are enough. In order from the least trusted to the most trusted, they are:
drop: the lowest trust level. All incoming connections are dropped without reply, and only outgoing connections can be made.
block: Similar to above, but instead of simply dropping the connection, incoming requests are rejected using the icmp-host-prohibitedor and icmp6-adm-prohibited messages.
public: Indicates a public network that is not trusted. You do not trust other computers, but may allow selected incoming connections as appropriate. By default, this area is active.
external: The external network if you are using a firewall as a gateway. Configure it as NAT forwarding so that your internal network remains private but accessible.
internal: The other side of the external zone, used for the inside of the gateway. These computers are trustworthy and have access to some other services.
dmz: Used for computers in a DMZ (DeMilitarized Zone) (isolated computers that will have no access to the rest of the network), allowing only certain incoming connections.
work: used for work machines. Trust most computers on the network. Some other services may also be allowed.
home: home environment. Typically this means you trust most other computers and will accept some other services.
trusted: Trusts all computers in the network. The most open-ended of the options available and should be used with caution.
Install and enable firewall
Firewalld is installed by default on some Linux distributions, but sometimes it needs to be installed manually. The installation command under CentOS is as follows:
$ sudo yum install firewalld
Enable Firewalld service and allow auto-start
$ sudo systemctl start firewalld $ sudo systemctl enable firewalld
Confirm that the Firewalld service is running
$ sudo firewall-cmd --state
Returning running means it is running; not running means it is not running.
Become familiar with current firewall rules
Enter the following command to see which region is currently selected as the default region:
$ sudo firewall-cmd --get-default-zone
Under normal circumstances, public will be returned
Enter the following to confirm which zone is active:
$ sudo firewall-cmd --get-active-zones
Under normal circumstances, when there is only one network card, it will return:
public interfaces: eth0
To get a list of available regions, enter the following command:
$ sudo firewall-cmd --get-zones
return:
block dmz drop external home internal public trusted work
By specifying the –list-all argument to –zone, we can see the specific configuration associated with a zone:
$ sudo firewall-cmd --zone=home --list-all
return value:
home target: default icmp-block-inversion: no interfaces: sources: services: dhcpv6-client mdns samba-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
To get the details of the list of available zones, enter the following command:
$ sudo firewall-cmd --list-all-zones
Configure IP whitelist using Firewalld
As mentioned before, Firewalld has built-in zones, and you can use the different features of these zones to configure IP whitelists quickly and easily.
The specific method is to first collect a whitelist of IPs you want to allow, such as Cloudflare'sAll IP ranges:
103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 104.16.0.0/13 104.24.0.0/14 108.162.192.0/18 131.0.72.0/22 141.101.64.0/18 162.158.0.0/15 172.64.0.0/13 173.245.48.0/20 188.114.96.0/20 190.93.240.0/20 197.234.240.0/22 198.41.128.0/17
At the same time, you must also add your own IP address, otherwise once the whitelist takes effect, you may be blocked from connecting.
Add these IP lists to the trusted zone one by one using the following command:
$ sudo firewall-cmd --permanent --zone=trusted --add-source=173.245.48.0/20 …… $ sudo firewall-cmd --permanent --zone=trusted --add-source=131.0.72.0/22
To make the trusted zone settings take effect, use the following command:
$ sudo firewall-cmd --reload
To confirm whether the trusted zone is set correctly, use the following command:
$ sudo firewall-cmd --zone=trusted --list-all
return:
trusted (active) target: ACCEPT icmp-block-inversion: no interfaces: sources: 173.245.48.0/20 …… 131.0.72.0/22 services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
Because the trusted zone has been set up at this time, it is also necessary to switch the default zone from public to drop in order to ignore all incoming connections. Use the command as follows:
$ sudo firewall-cmd --set-default-zone=drop
Then assign the default network card eth0 to the drop area, use the following command:
$ sudo firewall-cmd --permanent --zone=drop --change-interface=eth0
To make the whitelist finally take effect, use the following command (Notice:Please confirm again that all your IPs have been added to the trusted zone):
$ sudo firewall-cmd --reload
At this point, the whitelist setting officially takes effect.
postscript
The reason why we need to set up an IP whitelist is because we recently encountered a SYN_RECV attack. A large number of IPs were connected to the server's ports 80 and 443, which instantly immobilized the entire machine.
Because the website uses Cloudflare's CDN service, it is set up to only allow access to all IPs of Cloudflare and its own commonly used fixed IP.
All other IPs are not allowed to connect, so as to prevent DDoS attacks while ensuring the normality of the website.