How to allow specific IP addresses or networks to access the systemd managed services

Solution Verified - Updated 13 Jun 2024

Environment

Red Hat Enterprise Linux 8 and 9
- systemd

Issue

Do the systemd unit settings IPAddressDeny and IPAddressAllow work?
systemd unit files have settings described on the systemd.resource-control manpage like this:
```
IPAddressDeny=any
IPAddressAllow=localhost
```
How to restrict access to certain IP addresses or networks to the systemd managed services?
How to allow specific IP addresses or networks to access the systemd managed services?
IP Accounting and Access Lists with systemd

Resolution

systemd on RHEL8 supports IP Access Lists feature by using the Kernel's Content from en.wikipedia.org is not included.BPF packet filter with cgroup Version 2.

Prerequisites

You need to enable cgroup v2 on the RHEL8 system. Refer to the following article for the procedure:

Enable cgroup V2 on RHEL8
cgroup v2 is enabled by default on the RHEL9 system. Therefore, there is no need to enable it explicitly.

Usage

The following three options are thin wrappers around kernel functionality introduced with Linux 4.11: the control group eBPF hooks. The actual work is done by the kernel, systemd just provides a number of new settings to configure this.

IPAccounting= is a boolean setting. If enabled for a unit, all IP traffic sent and received by processes associated with it is counted both in terms of bytes and of packets.
IPAddressDeny= takes an IP address prefix (that means: an IP address with a network mask). All traffic from and to this address will be prohibited for processes of the service.
IPAddressAllow= is the matching positive counterpart to IPAddressDeny=. All traffic matching this IP address/network mask combination will be allowed, even if otherwise listed in IPAddressDeny=.

systemd Unit files can be modified as below with the list of IP addresses allowed or denied.

[Service]
IPAddressDeny=any
IPAddressAllow=x.x.x.x
IPAddressAllow=x.x.x.x

Example

In the following systemd's transient unit example, the IP address 127.0.0.1 is only allowed to communicate to the TCP port 5000 opened by the nc or netcat tool.

# systemd-run -p IPAddressDeny=any -p IPAddressAllow=127.0.0.1 -t nc -l 5000
Running as unit: run-u22.service
Press ^] three times within 1s to disconnect TTY.


# telnet 192.168.x.x 5000
Trying 192.168.x.x...
--> Not working


# telnet localhost 5000
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
--> Worked

SBR

Services

Product(s)

Red Hat Enterprise Linux

Components

systemd

Category

Configure

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.