How to Whitelist Specific IPs and Block All Others Using firewalld on CentOS 7+


2 views

When securing a CentOS server, firewalld provides a dynamic firewall manager with support for network/firewall zones. The key concept involves creating rules that explicitly allow traffic from trusted IPs while blocking everything else by default.

Here's the fundamental approach to implement IP-based filtering:


# Set default zone to drop all incoming traffic
sudo firewall-cmd --permanent --set-default-zone=drop

# Create a new zone for whitelisted IPs
sudo firewall-cmd --permanent --new-zone=trustedips

# Add your allowed IP (repeat for multiple IPs)
sudo firewall-cmd --permanent --zone=trustedips --add-source=1.2.3.4

# Open specific port for the whitelisted zone
sudo firewall-cmd --permanent --zone=trustedips --add-port=4567/tcp

# Reload to apply changes
sudo firewall-cmd --reload

Let's say you need to allow SSH (port 22) access only from your office IP (203.0.113.5) and a backup server (198.51.100.10):


# Set default policy
sudo firewall-cmd --permanent --set-default-zone=drop

# Create whitelist zone
sudo firewall-cmd --permanent --new-zone=officeaccess

# Add trusted IPs
sudo firewall-cmd --permanent --zone=officeaccess --add-source=203.0.113.5
sudo firewall-cmd --permanent --zone=officeaccess --add-source=198.51.100.10

# Allow SSH
sudo firewall-cmd --permanent --zone=officeaccess --add-service=ssh

# Verify before applying
sudo firewall-cmd --permanent --zone=officeaccess --list-all

# Apply changes
sudo firewall-cmd --reload

For more complex scenarios, consider these enhancements:


# Allow IP range (CIDR notation)
sudo firewall-cmd --permanent --zone=trustedips --add-source=192.168.1.0/24

# Combine with rich rules for specific protocols
sudo firewall-cmd --permanent --zone=trustedips \
--add-rich-rule='rule family="ipv4" source address="1.2.3.4" port port="3306" protocol="tcp" accept'

# Set timeout rules (temporary access)
sudo firewall-cmd --zone=trustedips --add-source=1.2.3.4 --timeout=300

Always verify your configuration:


# Check active zones
sudo firewall-cmd --get-active-zones

# List rules for specific zone
sudo firewall-cmd --zone=trustedips --list-all

# Test connectivity from allowed/blocked IPs

Remember to:

  • Keep an alternative access method in case of misconfiguration
  • Document all firewall changes
  • Test rules in non-permanent mode first
  • Consider using fail2ban for additional protection

For production systems, implement these changes during maintenance windows and have rollback procedures ready.

Firewalld operates using zones and services, where each zone can have different firewall rules. For IP-based filtering, we'll primarily work with the --add-rich-rule parameter and source address filtering.

First, check your active zones:

firewall-cmd --get-active-zones

Let's assume we're working with the 'public' zone. Here's how to block all traffic except from specific IPs:


# Block all incoming traffic by default
firewall-cmd --zone=public --set-target=DROP

# Allow specific IPs (1.2.3.4 and 5.6.7.8 in this example)
firewall-cmd --zone=public --add-source=1.2.3.4
firewall-cmd --zone=public --add-source=5.6.7.8

# Make changes permanent
firewall-cmd --runtime-to-permanent

For more granular control, you can whitelist IPs for specific ports only:


# Allow port 4567 only for IP 1.2.3.4
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="1.2.3.4" port protocol="tcp" port="4567" accept'

# Alternatively, using direct rules for complex scenarios
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 4567 -s 1.2.3.4 -j ACCEPT
firewall-cmd --direct --add-rule ipv4 filter INPUT 1 -p tcp --dport 4567 -j DROP

Verify your rules with:


firewall-cmd --zone=public --list-all
firewall-cmd --direct --get-all-rules

For services that need to be accessible from whitelisted IPs only:


# Example for SSH
firewall-cmd --remove-service=ssh --zone=public
firewall-cmd --add-rich-rule='rule family="ipv4" source address="1.2.3.4" service name="ssh" accept'

1. Always test rules before making them permanent
2. Maintain local console access in case of misconfiguration
3. Consider using fail2ban for dynamic blocking of malicious IPs
4. For production systems, implement these changes during maintenance windows