SoFunction
Updated on 2025-03-04

Linux solution to restrict IP access

background:

To fix vulnerabilities found in security scans, we need to set access restrictions on certain services. Specifically, it is to ensure that only the specified internal IP address can access these services.

Solution: Use Firewalld Firewall Rules

There are two ways to set these rules:

1. Modify the XML configuration file

First, byvimThe editor opens the /etc/firewalld/zones/ file and adds the following example rules:

<!-- Allow from specific internalsIP(like192.168.20.86/32)Accessing this serverMySQLServe(Default port3306) -->
<rule family="ipv4">
  <source address="192.168.20.86/32"/>
  <port protocol="tcp" port="3306"/>
  <accept/>
</rule>

explain:

  • <rule>: Define a rule.
  • Set rulesfamilyThe attribute isipv4
  • <source>: Defines the allowed IP address. In this example,192.168.20.86/32Indicates that only this IP access is allowed.
  • <port>: Determine the target port and protocol type. Here is a MySQL default port under TCP protocol3306
  • <accept/>Meaning that when the rules match, traffic will be allowed to pass.

2. Or use the command line to directly add rules

# Add rulesfirewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.20.86/32" accept'

# Remove rulesfirewall-cmd --permanent --zone=public --remove-rich-rule='rule family="ipv4" source address="192.168.20.86/32" accept'

Notice: It needs to be run after each modification of the rulesfirewall-cmd --reloadto reload the firewall configuration.

Verification method

On other servers, we can usetelnetCommand to verify:

telnet 192.168.20.86 3306

In-depth understanding of firewall logic

Each rule is checked in turn when the firewall works. First match the source IP, then the destination port. If both match, an accept action is performed to allow traffic to pass. Otherwise, continue to check the next rule until a matching entry is found or processed by the default policy.

Application scenarios and extensions

This method is ideal for enhancing security controls in databases, such as limiting only a specific IP to be able to connect to the MySQL server 3306 port. In addition, it is also very useful when doing network separation, ensuring that only trusted devices or services can communicate with each other.

Finally, when you need to deny access to a specific IP, you can use it<reject/>or<drop/>action:

<rule family="ipv4">
  <source address="192.168.20.86/32"/>
  <port protocol="tcp" port="3306"/>
  <reject/>
</rule>

<reject/>A rejection notice will be sent to the source, and<drop/>The traffic is quietly discarded, suitable for scenarios where system information is not disclosed.

This is the end of this article about Linux restricting IP access solutions. For more related content on Linux restricting IP access, please search for my previous articles or continue browsing the related articles below. I hope everyone will support me in the future!