Exam EX200 All QuestionsBrowse all questions from this exam
Go to Exam
Question 45

SIMULATION -

Configure iptables, there are two domains in the network, the address of local domain is 172.24.0.0/16 other domain is 172.25.0.0/16, now refuse domain

172.25.0.0/16 to access the server.

    Correct Answer:

    To refuse access to the server from the domain 172.25.0.0/16, you need to configure iptables properly. The first step is to clear any existing rules using 'iptables -F'. Then, add a rule to reject packets from the specified domain using 'iptables -A INPUT -s 172.25.0.0/16 -j REJECT'. Finally, save the changes and restart the iptables service to apply the new rules. The correct sequence of commands is as follows: iptables -F; iptables -A INPUT -s 172.25.0.0/16 -j REJECT; service iptables save; service iptables restart.

Discussion
adolfoale

In RHEL8 # firewall-cmd --zone=block --add-source=172.25.0.0/16 --permanent # firewall-cmd --reload

ArchBishop

This answer seems to be incorrect, by the documentation standards I printed above. Unless I am interpreting wrong, your entry would do the following if the block zone was enabled: Block ALL Incoming Traffic except for that which exists within subnet 172.25.0.0/16.. all outgoing established connections are permitted. For this solution to work, you would need to permit the .24 subnet and all of the necessary ports utilized in this exam. the rich-rules are a better/quicker solution.

badguy001djh

--zone=block --add-source=172.25.0.0/16 means that rules of block zone would apply to the packets from 172.25.0.0/16. While other packets would still be applied the rule of public zone.Because the target of block zone is reject, any connection from 172.25.0.0/16 will be rejected.

mdtjan

this must be configure on the server side. Try to ping from the client, if it's configured successfully, it will show "packet filtered".

Roldo97

To do this in RHEL8, you must use the command firewall-cmd. #firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='172.25.0.0/16' reject" --> Add the permanent rule to reject the whole network #firewall-cmd --reload --> Reload firewall rules #firewall-cmd --list-all --> List all loaded rules

STFN2019

This seems to be the most correct answer.

cytron

There is no iptables in RHEL8 this need updating.

adolfoale

In RHEL8 # firewall-cmd --zone=block --add-source=172.25.0.0/16 --permanent # firewall-cmd --reload

hanienarimani

The correct answer is : # firewall-cmd --zone=block --add-source=172.25.0.0/16 --permanent # firewall-cmd --reload Every packet that comes into a system is analyzed for its source address, and based on that source address, Firewalld analyzes whether or not the packet belongs to a specific zone. If not, the zone for the incoming network interface is used. If no specific zone is available, the packet is handled by the settings in the default zone.

sugisho

I think it's need only refuse access 172.25.0.0/16.so firewall-cmd --zone=drop --permanent --add-source=172.25.0.0/16

ArchBishop

After some research in the firewalld documentation: Block Zone: Any incoming network connections are rejected [...]. Only network connections initiated within this system are possible.

ArchBishop

Here is the thing that confuses me about the 2 solutions that have been provided in this discussion: adolfoale: Is this zone always active, or do you have to change the default/active zone to zone=block for this to work? As I understand it, this would only work if the block zone was active. Roldo: Your solution seems correct, I've just never used this solution before. what are your thoughts on adolfoale's solution? any other comments is really helpful. thanks much

badguy001djh

If you add source/interface to a zone, then that zone will active.