Questo contenuto non è disponibile nella lingua selezionata.
5.12. Setting and Controlling IP sets using firewalld
To see the list of IP set types supported by
firewalld
, enter the following command as root.
~]# firewall-cmd --get-ipset-types
hash:ip hash:ip,mark hash:ip,port hash:ip,port,ip hash:ip,port,net hash:mac hash:net hash:net,iface hash:net,net hash:net,port hash:net,port,net
5.12.1. Configuring IP Set Options with the Command-Line Client
IP sets can be used in
firewalld
zones as sources and also as sources in rich rules. In Red Hat Enterprise Linux 7, the preferred method is to use the IP sets created with firewalld
in a direct rule.
To list the IP sets known to
firewalld
in the permanent environment, use the following command as root
:
~]# firewall-cmd --permanent --get-ipsets
To add a new IP set, use the following command using the permanent environment as
root
:
~]# firewall-cmd --permanent --new-ipset=test --type=hash:net
success
The previous command creates a new IP set with the name test and the
hash:net
type for IPv4
. To create an IP set for use with IPv6
, add the --option=family=inet6
option. To make the new setting effective in the runtime environment, reload firewalld
. List the new IP set with the following command as root
:
~]# firewall-cmd --permanent --get-ipsets
test
To get more information about the IP set, use the following command as
root
:
~]# firewall-cmd --permanent --info-ipset=test
test
type: hash:net
options:
entries:
Note that the IP set does not have any entries at the moment. To add an entry to the test IP set, use the following command as
root
:
~]# firewall-cmd --permanent --ipset=test --add-entry=192.168.0.1 success
The previous command adds the IP address 192.168.0.1 to the IP set. To get the list of current entries in the IP set, use the following command as
root
:
~]# firewall-cmd --permanent --ipset=test --get-entries
192.168.0.1
Generate a file containing a list of IP addresses, for example:
~]# cat > iplist.txt <<EOL
192.168.0.2
192.168.0.3
192.168.1.0/24
192.168.2.254
EOL
The file with the list of IP addresses for an IP set should contain an entry per line. Lines starting with a hash, a semi-colon, or empty lines are ignored.
To add the addresses from the iplist.txt file, use the following command as
root
:
~]# firewall-cmd --permanent --ipset=test --add-entries-from-file=iplist.txt success
To see the extended entries list of the IP set, use the following command as
root
:
~]# firewall-cmd --permanent --ipset=test --get-entries 192.168.0.1 192.168.0.2 192.168.0.3 192.168.1.0/24 192.168.2.254
To remove the addresses from the IP set and to check the updated entries list, use the following commands as
root
:
~]# firewall-cmd --permanent --ipset=test --remove-entries-from-file=iplist.txt
success
~]# firewall-cmd --permanent --ipset=test --get-entries
192.168.0.1
You can add the IP set as a source to a zone to handle all traffic coming in from any of the addresses listed in the IP set with a zone. For example, to add the test IP set as a source to the drop zone to drop all packets coming from all entries listed in the test IP set, use the following command as
root
:
~]# firewall-cmd --permanent --zone=drop --add-source=ipset:test
success
The
ipset:
prefix in the source shows firewalld
that the source is an IP set and not an IP address or an address range.
Only the creation and removal of IP sets is limited to the permanent environment, all other IP set options can be used also in the runtime environment without the
--permanent
option.
5.12.2. Configuring a Custom Service for an IP Set
To configure a custom service to create and load the IP set structure before
firewalld
starts:
- Using an editor running as
root
, create a file as follows:~]#
vi /etc/systemd/system/ipset_name.service
[Unit] Description=ipset_name Before=firewalld.service [Service] Type=oneshot RemainAfterExit=yes ExecStart=/usr/local/bin/ipset_name.sh start ExecStop=/usr/local/bin/ipset_name.sh stop [Install] WantedBy=basic.target - Use the IP set permanently in firewalld:
~]# vi
/etc/firewalld/direct.xml
<?xml version="1.0" encoding="utf-8"?> <direct> <rule ipv="ipv4" table="filter" chain="INPUT" priority="0">-m set --match-set <replaceable>ipset_name</replaceable> src -j DROP</rule> </direct> - A
firewalld
reload is required to activate the changes:~]#
This reloads the firewall without losing state information (TCP sessions will not be terminated), but service disruption is possible during the reload.firewall-cmd --reload
Warning
Red Hat does not recommend using IP sets that are not managed through
firewalld
. To use such IP sets, a permanent direct rule is required to reference the set, and a custom service must be added to create these IP sets. This service needs to be started before firewalld starts, otherwise firewalld
is not able to add the direct rules using these sets. You can add permanent direct rules with the /etc/firewalld/direct.xml
file.