How to Open Port for a Specific IP Address in Firewalld?

In today's interconnected world, network security is of utmost importance. One essential aspect of securing your network is managing the access to specific ports on your system. Firewalld, a dynamic firewall management tool, provides a flexible and user-friendly approach to firewall configuration in CentOS and other Linux distributions.

This guide will focus on a common scenario: opening a port for a specific IP address in Firewalld. By allowing access only to specific IP addresses, you can enhance the security of your system and restrict unauthorized access through rich rules that provide granular control over traffic.

Understanding Firewalld Zones and Services

When it comes to managing network security using Firewalld, it's essential to grasp the concepts of zones and services. These components play a vital role in defining the behavior of your firewall and ensuring the appropriate level of protection.

• Firewalld Zones Firewalld categorizes network interfaces and connections into different zones, each serving a specific purpose. These predefined zones, including public, internal, and trusted, determine the level of trust associated with a particular network segment. By assigning interfaces to the appropriate zones, you can control access and set different rules for each zone.

• Firewalld Services Services in Firewalld represent specific applications or protocols associated with a port or a range of ports. They define the allowed network traffic and can be assigned to specific zones. By utilizing services, you can easily manage and apply consistent rules for common services across your firewall configuration.

Identifying the Specific IP Address

Before opening a port for a specific IP address in Firewalld, you need to identify the IP address you want to grant access to. Here are several methods to obtain the IP address

Check Network Configuration

$ ip addr show

Look for the network interface associated with the desired IP address. Note down the IP address and interface name.

Review Network Traffic

$ sudo tcpdump -i <interface> host <desired_ip>

Replace <interface> with the network interface name from the previous step, and <desired_ip> with the desired IP address. Analyze the captured packets to identify the IP address.

Inspect System Logs

$ sudo journalctl | grep <desired_ip>

Search the system logs for entries related to the desired IP address. This method helps identify IPs that have previously accessed your system.

Opening a Port for a Specific IP Address

Now that you have identified the specific IP address, you can proceed with opening a port for that IP address in Firewalld using rich rules. Follow these steps

Step 1: Verify Firewalld Status

$ sudo systemctl status firewalld

Ensure that the service is active and running.

Step 2: Identify the Target Zone

$ sudo firewall-cmd --get-active-zones
$ sudo firewall-cmd --get-default-zone

Identify the appropriate zone for your network interface. The public zone is commonly used for external-facing interfaces.

Step 3: Create a Rich Rule

Use a rich rule to allow access from the specific IP address to a designated port

$ sudo firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.100/32" port protocol="tcp" port="22" accept' --permanent

This command allows IP address 192.168.1.100 to access port 22 (SSH) via TCP protocol. Replace the values as needed

• --zone=public Specify the target zone

• source address="192.168.1.100/32" The specific IP address (CIDR /32 for single IP)

• port="22" The port number to open

• protocol="tcp" The protocol (tcp or udp)

• --permanent Make the rule persistent across reboots

Step 4: Reload Firewalld

$ sudo firewall-cmd --reload

Step 5: Verify the Configuration

$ sudo firewall-cmd --zone=public --list-rich-rules

Verify that the rich rule appears in the output, confirming that the port is now accessible from the specified IP address.

Removing Rules and Closing Access

If you need to revoke access for the specific IP address, you can remove the rich rule using the following steps

List Current Rich Rules

$ sudo firewall-cmd --zone=public --list-rich-rules

Remove the Specific Rule

$ sudo firewall-cmd --zone=public --remove-rich-rule='rule family="ipv4" source address="192.168.1.100/32" port protocol="tcp" port="22" accept' --permanent

Reload Configuration

$ sudo firewall-cmd --reload

Advanced Examples

Multiple Ports for Same IP

$ sudo firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.100/32" port protocol="tcp" port="80" accept' --permanent
$ sudo firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.100/32" port protocol="tcp" port="443" accept' --permanent

Port Range Access

$ sudo firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.100/32" port protocol="tcp" port="8000-8010" accept' --permanent

Conclusion

Firewalld's rich rules provide precise control over network access by allowing you to open ports for specific IP addresses. This approach significantly enhances system security by restricting access to authorized sources only. By following the outlined steps, you can implement granular firewall policies that balance accessibility with security requirements.