VMware Cloud Community
esxi1979
Expert
Expert
Jump to solution

Enable ssh firewall rule so that , ssh is allowed from certain ips only - Get-Esxcli

Hi.

Any help is appreciated here

Goal :

Enable ssh firewall rule  so that , ssh is allowed from certain ips only

$VMHost=Get-VMHost -Name xxx

$esxcli = Get-Esxcli -VMHost $VMHost -V2

$rule = @{

    enabled = $true

    allowedall = $false

    rulesetid = 'sshServer'

}

$esxcli.network.firewall.ruleset.set.Invoke($rule)

# ## till above all is ok

## add allow ip list ## below gives an error

$rule = @{

    enabled = $true

    allowedip = 'xxx'

    rulesetid = 'sshServer'

}

$esxcli.network.firewall.ruleset.set.Invoke($rule)

LucD​ above is part of your code on other thread  but i could not apply it with more tuning Smiley Sad

thanks

Tags (1)
1 Solution

Accepted Solutions
LucD
Leadership
Leadership
Jump to solution

I'm not sure where you got that code from, but that is not the command to add an IP address.

It should be something like this

$rule = @{

    enabled = $true

    allowedall = $false

    rulesetid = 'sshServer'

}

$esxcli.network.firewall.ruleset.set.Invoke($rule)

$ip = @{

    rulesetid = 'sshServer'

    ipaddress = '192.168.1.1'

}

$esxcli.network.firewall.ruleset.allowedip.add.Invoke($ip)


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

View solution in original post

19 Replies
LucD
Leadership
Leadership
Jump to solution

Can you share the error?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
esxi1979
Expert
Expert
Jump to solution

last line only gives error

$esxcli.network.firewall.ruleset.set.Invoke($rule)

Index (zero based) must be greater than or equal to zero and less than the size of the argument list.

At line:1 char:1

+ $esxcli.network.firewall.ruleset.set.Invoke($rule)

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo          : OperationStopped: (:) [], FormatException

    + FullyQualifiedErrorId : System.FormatException

Reply
0 Kudos
LucD
Leadership
Leadership
Jump to solution

I'm not sure where you got that code from, but that is not the command to add an IP address.

It should be something like this

$rule = @{

    enabled = $true

    allowedall = $false

    rulesetid = 'sshServer'

}

$esxcli.network.firewall.ruleset.set.Invoke($rule)

$ip = @{

    rulesetid = 'sshServer'

    ipaddress = '192.168.1.1'

}

$esxcli.network.firewall.ruleset.allowedip.add.Invoke($ip)


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

esxi1979
Expert
Expert
Jump to solution

LucD​ , thanks, works for single IP

I get below error when i tried to use comma  separated list of IPs , any suggestions Please

Message: EsxCLI.CLIFault.summary;

InnerText: Invalid IP Address StringEsxCLI.CLIFault.summary

At line:1 char:1

+ $esxcli.network.firewall.ruleset.allowedip.add.Invoke($ip)

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo          : OperationStopped: (:) [], MethodFault

    + FullyQualifiedErrorId : VMware.VimAutomation.Sdk.Types.V1.ErrorHandling.VimException.MethodFault

Reply
0 Kudos
LucD
Leadership
Leadership
Jump to solution

How did you assign the multiple IP addresses to the variable $ip?
The command only allows a single or a range of IP addresses.

For multiple single IP addresses, you have to call the method for each IP address.


This is for a range.

$ip = @{

    rulesetid = 'sshServer'

    ipaddress = '192.168.1.1/24'

}

$esxcli.network.firewall.ruleset.allowedip.add.Invoke($ip)


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

esxi1979
Expert
Expert
Jump to solution

LucD​ That helped thanks

Reply
0 Kudos
Uday1990
Contributor
Contributor
Jump to solution

Hi,

 

For me working for only one IP.

How I can add multiple IPs.

Thanks

Reply
0 Kudos
LucD
Leadership
Leadership
Jump to solution

By repeating the call for each IP address.
That is done exactly the same as with the esxcli command itself, see Manage the ESXi Firewall (vmware.com)


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
Uday1990
Contributor
Contributor
Jump to solution

Hi,

Many thanks for your help.

How I can apply to the entire cluster/vCenter in one go.

Thanks

Uday

Tags (1)
Reply
0 Kudos
LucD
Leadership
Leadership
Jump to solution

Just use a Foreach-Object loop

 

$rule = @{
    enabled = $true
    allowedall = $false
    rulesetid = 'sshServer'
}
$ip = @{
    rulesetid = 'sshServer'
    ipaddress = '192.168.1.1'
}

Get-Cluster | Get-VMHost |
ForEach-Object -Process {
    $esxcli = Get-Esxcli -VMHost $_
    $esxcli.network.firewall.ruleset.set.Invoke($rule)
    $esxcli.network.firewall.ruleset.allowedip.add.Invoke($ip)    
}

 

Leave out the Get-Cluster if you want to do this for all ESXi nodes.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
Uday1990
Contributor
Contributor
Jump to solution

Hi,

Below command How I can allow multiple Ip addresses in one go.

 

$cluster = "<clusterName>"
$ip = "192.168.1.1"

foreach($vmHost in (Get-Cluster $cluster | Get-VMHost | Sort Name)){
write-host "Configuring SSH on host: $($vmHost.Name)" -fore Yellow
if((Get-VMHostService -VMHost $vmHost | where {$_.Key -eq "TSM-SSH"}).Policy -ne "on"){
Write-Host "Setting SSH service policy to automatic on $($vmHost.Name)"
Get-VMHostService -VMHost $vmHost | where { $_.key -eq "TSM-SSH" } | Set-VMHostService -Policy "On" -Confirm:$false -ea 1 | Out-null
}

if((Get-VMHostService -VMHost $vmHost | where {$_.Key -eq "TSM-SSH"}).Running -ne $true){
Write-Host "Starting SSH service on $($vmHost.Name)"
Start-VMHostService -HostService (Get-VMHost $vmHost | Get-VMHostService | Where { $_.Key -eq "TSM-SSH"}) | Out-null
}

$esxcli = Get-EsxCli -V2 -VMHost $vmHost
if($esxcli -ne $null){
if(($esxcli.network.firewall.ruleset.allowedip.list("sshServer") | select AllowedIPAddresses).AllowedIPAddresses -eq "All"){
Write-Host "Changing the sshServer firewall configuration"
$esxcli.network.firewall.ruleset.set($false, $true, "sshServer")
$esxcli.network.firewall.ruleset.allowedip.add("$ip", "sshServer")
$esxcli.network.firewall.refresh()
}
}

if(($vmHost | Get-AdvancedSetting | Where {$_.Name -eq "UserVars.SuppressShellWarning"}).Value -ne "1"){
Write-Host "Suppress the SSH warning message"
$vmHost | Get-AdvancedSetting | Where {$_.Name -eq "UserVars.SuppressShellWarning"} | Set-AdvancedSetting -Value "1" -Confirm:$false | Out-null
}
}

Thanks

 

Reply
0 Kudos
LucD
Leadership
Leadership
Jump to solution

Like I said earlier, by calling the add multiple times, once for each IP address


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
Uday1990
Contributor
Contributor
Jump to solution

Hi,

I tried but no luck,

When I am adding multiple IPs then the command is not working.

 

Thanks

 

Reply
0 Kudos
LucD
Leadership
Leadership
Jump to solution

Any errors?
How did you call the add multiple times?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
Uday1990
Contributor
Contributor
Jump to solution

Hi,

I am using like below.

 

$rule = @{
enabled = $true
allowedall = $false
rulesetid = 'sshServer'
}
$ip = @{
rulesetid = 'sshServer'
ipaddress = '192.168.1.1'
}

}
$ip = @{
rulesetid = 'sshServer'
ipaddress = '192.168.1.2'
}


ForEach-Object -Process {
$esxcli = Get-Esxcli -VMHost $_
$esxcli.network.firewall.ruleset.set.Invoke($rule)
$esxcli.network.firewall.ruleset.allowedip.add.Invoke($ip)
}

 

Thanks

Reply
0 Kudos
LucD
Leadership
Leadership
Jump to solution

That will never work.
Try perhaps like this

$rule = @{
    enabled    = $true
    allowedall = $false
    rulesetid  = 'sshServer'
}
$ip1 = @{
    rulesetid = 'sshServer'
    ipaddress = '192.168.1.1'
}
$ip2 = @{
    rulesetid = 'sshServer'
    ipaddress = '192.168.1.2'
}
    
    
Get-VMHost |
ForEach-Object -Process {
    $esxcli = Get-EsxCli -VMHost $_ -V2
    $esxcli.network.firewall.ruleset.set.Invoke($rule)
    $esxcli.network.firewall.ruleset.allowedip.add.Invoke($ip1)
    $esxcli.network.firewall.ruleset.allowedip.add.Invoke($ip2)
}


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
Uday1990
Contributor
Contributor
Jump to solution

Hi,

Thanks for your comment.

Could you please add your comment on the below command also?

 

$vi_server = "vcsa.everythingshouldbevirtual.local" # Set to your vCenter hostname|IP
$vcuser = "vcenteruser" # Set to your vCenter username to connect
$vcpass = "vcenterpassword" # Set to your vCenter username password to connect
$ip = 10.0.101.122 # Set IP to your manamgement station if you are locking down the firewall

Connect-VIServer -Server $vi_server -User $vcuser -Password $vcpass

# Setup variable to use in script for all hosts in vCenter
$vmhosts = @(Get-VMHost)

foreach ($vmhost in $vmhosts) {
write-host "Configuring SSH on host: $($vmHost.Name)" -fore Yellow
if((Get-VMHostService -VMHost $vmHost | where {$_.Key -eq "TSM-SSH"}).Policy -ne "on"){
Write-Host "Setting SSH service policy to automatic on $($vmHost.Name)"
Get-VMHostService -VMHost $vmHost | where { $_.key -eq "TSM-SSH" } | Set-VMHostService -Policy "On" -Confirm:$false -ea 1 | Out-null
}
if((Get-VMHostService -VMHost $vmHost | where {$_.Key -eq "TSM-SSH"}).Running -ne $true){
Write-Host "Starting SSH service on $($vmHost.Name)"
Start-VMHostService -HostService (Get-VMHost $vmHost | Get-VMHostService | Where { $_.Key -eq "TSM-SSH"}) | Out-null
}
$esxcli = Get-EsxCli -VMHost $vmhost
if($esxcli -ne $null){
# Uncomment below to set firewall to allow only from a certain IP
if(($esxcli.network.firewall.ruleset.allowedip.list("sshServer") | select AllowedIPAddresses).AllowedIPAddresses -eq "All"){
#Write-Host "Changing the sshServer firewall configuration"
#$esxcli.network.firewall.ruleset.set($false, $true, "sshServer")
#$esxcli.network.firewall.ruleset.allowedip.add("$ip", "sshServer")
#$esxcli.network.firewall.refresh()
#}
# End Uncomment
# Comment out below if using the above to set firewall to a specific IP
#if(($esxcli.network.firewall.ruleset.allowedip.list("sshServer") | select AllowedIPAddresses).AllowedIPAddresses -ne "All"){
Write-Host "Changing the sshServer firewall configuration"
$esxcli.network.firewall.ruleset.set($true, $true, "sshServer")
$esxcli.network.firewall.refresh()
}
# End Comment
if(($vmHost | Get-AdvancedSetting | Where {$_.Name -eq "UserVars.SuppressShellWarning"}).Value -ne "1"){
Write-Host "Suppress the SSH warning message"
$vmHost | Get-AdvancedSetting | Where {$_.Name -eq "UserVars.SuppressShellWarning"} | Set-AdvancedSetting -Value "1" -Confirm:$false | Out-null
}
}
# Disconnect from vCenter
Disconnect-VIServer * -Confirm:$false

Reply
0 Kudos
Uday1990
Contributor
Contributor
Jump to solution

Hi, 

Thanks for your support.

How I can apply for a specific cluster.

 

Thanks

Reply
0 Kudos
Uday1990
Contributor
Contributor
Jump to solution

Spoiler
Hi.


How I can apply this SSH allowed script on a cluster.



Thanks
Reply
0 Kudos