Red Hat Summit Red Hat SummitSupportConsoleDéveloppeursCommencer un essaiContact

Ce contenu n'est pas disponible dans la langue sélectionnée.

5.8. Using Zones to Manage Incoming Traffic Depending on Source

You can use zones to manage incoming traffic based on its source. That enables you to sort incoming traffic and route it through different zones to allow or disallow services that can be reached by that traffic.
If you add a source to a zone, the zone becomes active and any incoming traffic from that source will be directed through it. You can specify different settings for each zone, which is applied to the traffic from the given sources accordingly. You can use more zones even if you only have one network interface.

5.8.1. Adding a Source
Copier lien

To route incoming traffic into a specific source, add the source to that zone. The source can be an IP address or an IP mask in the Classless Inter-domain Routing (CIDR) notation.
  1. To set the source in the current zone: 
    ~]# firewall-cmd --add-source=<source>
    Copy to Clipboard Toggle word wrap
  2. To set the source IP address for a specific zone: 
    ~]# firewall-cmd --zone=zone-name --add-source=<source>
    Copy to Clipboard Toggle word wrap
The following procedure allows all incoming traffic from 192.168.2.15 in the trusted zone:
  1. List all available zones: 
    ~]# firewall-cmd --get-zones
    Copy to Clipboard Toggle word wrap
  2. Add the source IP to the trusted zone in the permanent mode: 
    ~]# firewall-cmd --zone=trusted --add-source=192.168.2.15
    Copy to Clipboard Toggle word wrap
  3. Make the new settings persistent: 
    ~]# firewall-cmd --runtime-to-permanent
    Copy to Clipboard Toggle word wrap

5.8.2. Removing a Source
Copier lien

Removing a source from the zone cuts off the traffic coming from it.
  1. List allowed sources for the required zone: 
    ~]# firewall-cmd --zone=zone-name --list-sources
    Copy to Clipboard Toggle word wrap
  2. Remove the source from the zone permanently: 
    ~]# firewall-cmd --zone=zone-name --remove-source=<source>
    Copy to Clipboard Toggle word wrap
  3. Make the new settings persistent: 
    ~]# firewall-cmd --runtime-to-permanent
    Copy to Clipboard Toggle word wrap

5.8.3. Adding a Source Port
Copier lien

To enable sorting the traffic based on a port of origin, specify a source port using the --add-source-port option. You can also combine this with the --add-source option to limit the traffic to a certain IP address or IP range.
To add a source port: 
~]# firewall-cmd --zone=zone-name --add-source-port=<port-name>/<tcp|udp|sctp|dccp>
Copy to Clipboard Toggle word wrap

5.8.4. Removing a Source Port
Copier lien

By removing a source port you disable sorting the traffic based on a port of origin.
To remove a source port: 
~]# firewall-cmd --zone=zone-name --remove-source-port=<port-name>/<tcp|udp|sctp|dccp>
Copy to Clipboard Toggle word wrap
To allow traffic from a specific network to use a service on a machine, use zones and source. The following procedure allows only HTTP traffic from the 192.0.2.0/24 network while any other traffic is blocked.

Warning

When you configure this scenario, use a zone that has the default target. Using a zone that has the target set to ACCEPT is a security risk, because for traffic from 192.0.2.0/24, all network connections would be accepted.
  1. List all available zones: 
    ~]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work
    Copy to Clipboard Toggle word wrap
  2. Add the IP range to the internal zone to route the traffic originating from the source through the zone: 
    ~]# firewall-cmd --zone=internal --add-source=192.0.2.0/24
    Copy to Clipboard Toggle word wrap
  3. Add the http service to the internal zone: 
    ~]# firewall-cmd --zone=internal --add-service=http
    Copy to Clipboard Toggle word wrap
  4. Make the new settings persistent: 
    ~]# firewall-cmd --runtime-to-permanent
    Copy to Clipboard Toggle word wrap
  5. Check that the internal zone is active and that the service is allowed in it: 
    ~]# firewall-cmd --zone=internal --list-all
internal (active)
  target: default
  icmp-block-inversion: no
  interfaces:
  sources: 192.0.2.0/24
  services: dhcpv6-client mdns samba-client ssh http
  ...
    Copy to Clipboard Toggle word wrap
You can allow incoming traffic to be accepted by a zone based on the protocol. All traffic using the specified protocol is accepted by a zone, in which you can apply further rules and filtering.

Adding a Protocol to a Zone

By adding a protocol to a certain zone, you allow all traffic with this protocol to be accepted by this zone.
To add a protocol to a zone: 
~]# firewall-cmd --zone=zone-name --add-protocol=port-name/tcp|udp|sctp|dccp|igmp
Copy to Clipboard Toggle word wrap

Note

To receive multicast traffic, use the igmp value with the --add-protocol option.

Removing a Protocol from a Zone

By removing a protocol from a certain zone, you stop accepting all traffic based on this protocol by the zone.
To remove a protocol from a zone: 
~]# firewall-cmd --zone=zone-name --remove-protocol=port-name/tcp|udp|sctp|dccp|igmp
Copy to Clipboard Toggle word wrap
Retour au début
Red Hat logoGithubredditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance. Découvrez nos récentes mises à jour.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez le Blog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

Theme

© 2026 Red Hat