Skip to content

Instantly share code, notes, and snippets.

@kun432

kun432/index.md

Last active January 16, 2022 17:40
Show Gist options
  • Save kun432/8ff4186d9d9afb00427a28a40f1f0704 to your computer and use it in GitHub Desktop.
Save kun432/8ff4186d9d9afb00427a28a40f1f0704 to your computer and use it in GitHub Desktop.
Download ZIP
firewall-cmdでユーザ定義のサービスを追加する
Raw
index.md

例えば、sshで10022を追加したい

$ cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/ssh-10022.xml
$ vi /etc/firewalld/services/ssh-10022.xml

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>SSH(10022)</short>
  <description>Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.</description>
  <port protocol="tcp" port="10022"/>
</service>

定義ファイルを認識させるにはまずfirewall-cmd reloadが必要

$ firewall-cmd reload
success

追加するゾーンは以下のように確認できる

# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0 eth1
  sources:
  services: dhcpv6-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

上記だとeth0 eth1にpublicゾーンが定義されているので、これに追加する。

# firewall-cmd --permanent --zone=public --add-service=ssh-10022
# firewall-cmd --reload
success
# firewall-cmd --list-all --zone=public
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0 eth1
  sources:
  services: dhcpv6-client ssh ssh-10022
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
@kun432
Copy link
Author

kun432 commented Jan 16, 2022

特定IPだけ許可するような場合

# firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="192.168.56.22" port protocol="tcp" port="10022" accept"
# firewall-cmd --remove-service=ssh-10022 --zone=public --permanent
# firewall-cmd --reload
success
# firewall-cmd --list-all --zone=public
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0 eth1
  sources:
  services: dhcpv6-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
	rule family="ipv4" source address="192.168.56.22" port port="10022" protocol="tcp" accept

@kun432
Copy link
Author

kun432 commented Jan 16, 2022

--permanentをつけるとreloadが必ず必要
--permanentを外して実行すれば即時反映される。--reloadすれば消える。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment