sky_cheng

导航

 
firewalld实现指定IP禁止访问以及指定IP访问sshd端口25601

一、禁止68.183.34.127访问

firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=68.183.34.127 reject'

 

二、首先删除掉系统默认放行的ssh服务

[root@localhost ~]# firewall-cmd --list-service
ssh dhcpv6-client
[root@localhost ~]# firewall-cmd --remove-service=ssh --permanent
success
[root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]# firewall-cmd --list-service
dhcpv6-client

三、添加富规则如下

[root@localhost ~]# firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="172.28.146.109" port protocol="tcp" port="25601" accept'
success
[root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: em1
  sources: 
  services: ssh dhcpv6-client
  ports: 25601/tcp 8079/tcp 7890/tcp 10050/tcp 8801/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
        rule family="ipv4" source address="172.28.146.109" port port="25601" protocol="tcp" accept

source address指定访问的源ip,可以是地址段172.28.146.1/24 ,如果添加多个IP,可以重复执行上面的语句进行添加

如果这里加错了,可以删除规则重新添加

[root@localhost ~]# firewall-cmd --remove-rich-rule='rule family="ipv4" source address="172.28.146.109" port port="25601" protocol="tcp" accept' --permanent
success
[root@localhost ~]# firewall-cmd --reload  
success

 指定源是ipset添加规则

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source ipset="china_ip" port protocol="tcp" port="9870" accept'

 

四、删除掉原来指定的访问端口25601

[root@localhost ~]# firewall-cmd --remove-port=25601/tcp --permanent
success
[root@localhost ~]# firewall-cmd --reload
success

这样,只有172.28.146.109这台IP的机器才能SSH连接25601端口了

 此外也可以通过手动修改/etc/firewalld/zones/public.xml文件来进行设置

[root@localhost ~]# vim /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected i
ncoming connections are accepted.</description>
  <service name="dhcpv6-client"/>
  <port protocol="tcp" port="8079"/>
  <port protocol="tcp" port="7890"/>
  <port protocol="tcp" port="10050"/>
  <port protocol="tcp" port="8801"/>
  <rule family="ipv4">
    <source address="172.28.146.109"/>
    <port protocol="tcp" port="25601"/>
    <accept/>
  </rule>
</zone>

修改完成后,还需要--reload才能生效

posted on 2021-12-08 17:50  sky_cheng  阅读(1116)  评论(0)    收藏  举报
 
博客园  ©  2004-2025
浙公网安备 33010602011771号 浙ICP备2021040463号-3