techne/firewalld.org

30 lines
854 B
Org Mode
Raw Permalink Normal View History

2024-09-21 04:17:26 +02:00
#+title: Firewalld
#+setupfile: ../org-templates/page.org
2024-09-24 04:23:08 +02:00
** Allow connections only from tailnet
2024-09-21 04:17:26 +02:00
2024-09-24 04:23:08 +02:00
Create a new zone for the ~tailscale0~ interface.
2024-09-21 04:17:26 +02:00
2024-09-24 04:23:08 +02:00
#+BEGIN_SRC shell
sudo firewall-cmd --permanent --new-zone=tailnet
sudo firewall-cmd --permanent --zone=tailnet --add-interface=tailscale0
2024-09-21 04:17:26 +02:00
sudo firewall-cmd --reload
2024-09-24 04:23:08 +02:00
#+END_SRC
Add services and ports to the ~tailnet~ zone.
2024-09-21 04:17:26 +02:00
2024-09-24 04:23:08 +02:00
#+BEGIN_SRC shell
sudo firewall-cmd --permanent --zone=tailnet --add-service={http,https,ssh}
sudo firewall-cmd --permanent --zone=tailnet --add-port=9100/tcp
2024-09-21 04:17:26 +02:00
sudo firewall-cmd --reload
2024-09-24 04:23:08 +02:00
#+END_SRC
Ensure the ~public~ zone does not have any interfaces or sources.
#+BEGIN_SRC shell
sudo firewall-cmd --permanent --zone=public --remove-interface=eth0
2024-09-21 04:17:26 +02:00
sudo firewall-cmd --reload
2024-09-24 04:23:08 +02:00
#+END_SRC
The firewall should now only allow traffic coming from the tailnet interface, ~tailscale0~.