How to disable SSH access from everywhere except for certain IPs in CentOS 7

- by

Here’s how to do it:

firewall-cmd --zone=internal --add-service=ssh --permanent
firewall-cmd --zone=internal --add-source=1.2.3.4/32 --permanent
firewall-cmd --zone=internal --add-source=5.6.7.8/32 --permanent
firewall-cmd --zone=public --remove-service=ssh --permanent

firewall-cmd --reload

This declares an internal zone with two IPs (add as many or as few as you like) and subsequently removes the SSH service from the public zone altogether. As a result, any other IP gets a message such as “Connection refused” when trying to connect via SSH.

The “–permanent” switch saves the changes. Remove it for testing or if you don’t want this change to be permanent.

The last line reloads the current firewall rules (thanks, CertDepot).



If you enjoy my content, please consider supporting me on Ko-fi. In return you can browse this whole site without any pesky ads! More details here.

6 thoughts on “How to disable SSH access from everywhere except for certain IPs in CentOS 7”

Leave a Comment!

This site uses Akismet to reduce spam. Learn how your comment data is processed.