View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions [SOLVED] Create 2 firewalld zones on 1 linode, 1 external, 1 internal. Centos 7
Log in to Ask a Question

[SOLVED] Create 2 firewalld zones on 1 linode, 1 external, 1 internal. Centos 7

networking

Hello,

I have 2 linode servers with CentOS 7 installed with Network manager and Firewalld.

I have the external ip and internal ip. The external ip i would like to use for the webservers. The internal ip i would like to use for a Xtradb percona cluster.

I would like to have the external ip connected to the firewalld zone "DMZ" with device eth0 and the internal ip connected to the firewalld zone "INTERNAL" with a eth0:0 device.

Without the firewalld / network manager It seems possible. Is it also possible with the firewalld and network manager?

My problem so far is that i cannot setup an extra virtual device eth0:0 which i connect to the zone 'internal'

Because when i setup a second connection the field "DEVICE" is empty.

Perhaps you have a link to a website with explanation which i can follow-up?

Thank you very much

:)

1 Reply

I have found the solution for my case.

The problem was that I thought i needed a second interface (like eth0:0) to be able to create 2 zones in Firewalld.

But this is not the case.

The solution is that in Firewalld you just have to add an IP address to a zone with the "–add-source" parameter and then

the zone will be activated and can be configurated for this ip adress(es).

Example: sudo firewall-cmd --zone=internal --add-source=192.168.xxx.xxx/32 --permanent

sudo firewall-cmd --get-active-zones

sudo firewall-cmd --zone=internal --list-all

So create a local network zone internal by adding the source and use the eth0 interface for the external internet zone, like dmz.

Explaination what helped my solve my question:
> A zone can be bound to a network interface (see above) and/or to a network addressing (called here a source).

Any network packet entering in the network stack is associated with a zone.

The association is done according to the following pattern:

– is the packet coming from a source already bound to a zone? (if yes, it is associated with this zone),

– if not, is the packet coming from a network interface already bound to a zone? (if yes, it is associated with this zone),

– if not, the packet is associated with the default zone.
source: https://www.certdepot.net/rhel7-get-started-firewalld/

Have a good one 8)

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct