Firewalld is a dynamic manager that allows you to define rules without disconnecting existing connections. To restrict a specific port to one IP address, we use a “Rich Rule,” which provides more granular control than standard service commands.
Prerequisites:
- SSH Access with sudo or root privileges.
- The Port Number (e.g., 3306 for MySQL).
- The Trusted IP Address you want to permit.
Steps to Restrict Access:
- Check Firewalld Status: Ensure the firewall is running:
sudo systemctl status firewalld - Add the Rich Rule: To allow a specific IP (e.g., 1.2.3.4) to access a specific port (e.g., 3306), run the following command. The
--permanentflag ensures the rule stays active after a reboot:sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="1.2.3.4" port protocol="tcp" port="3306" accept' - Reload Firewalld: Changes do not take effect until the firewall configuration is reloaded:
sudo firewall-cmd --reload - Verify the Configuration: List all active rich rules to confirm the IP is added:
sudo firewall-cmd --list-rich-rules
How to Remove a Rule:
If you need to revoke access, simply run the same command as in Step 2, but replace --add-rich-rule with --remove-rich-rule, then reload.
Verification:
Test the connection from the allowed IP. If you configured it correctly, the connection will go through, while all other IPs will be blocked by the default “Deny” policy of the firewall.
Share this:
