我正在使用 CentOS Linux 版本 7.9.2009 的最小安裝和 firewalld 。
[root@centosmin firewalld]# uname -a
Linux centosmin 3.10.0-1160.6.1.el7.x86_64 #1 SMP Tue Nov 17 13:59:11 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
有類似的問題即這裡 但那裡的反應都不起作用。我想在不使用到達規則的情況下做到這一點。
它的目標是僅允許來自互聯網上的一個特定 IP 位址的 ssh。為了模擬這種行為,我設置了一個實驗室,其中 3 台機器位於不同的 VLAN 中,並在我的內部網路中設定了它們之間的路由。
本例中的伺服器是
10.192.210.10/24
和兩個 ssh 客戶端:
10.192.52.50/24
10.192.57.6/24
現在我已經創建了自己的面向互聯網的區域,並使用命令將其設為預設值
//create new zone called internet
firewall-cmd --permanent --new-zone=internet
// add the only ip address that should be able to connect to ssh
firewall-cmd --zone=internet --add-source=10.192.57.6/32
firewall-cmd --zone=internet --add-service=ssh
// here i make sure that i manually add the interface if it is not already add it and then remove it
firewall-cmd --zone=internet –add-interface=ens3
firewall-cmd --zone=internet --remove-interface=ens3
firewall-cmd --zone=internet --set-target=DROP
firewall-cmd --set-default-zone=internet
// save the current runtime to premanent rules
firewall-cmd --runtime-to-permanent
firewall-cmd --reload
之後我唯一的一個網路介面看起來像
[root@centosmin firewalld]# firewall-cmd --list-all
internet (active)
target: DROP
icmp-block-inversion: no
interfaces:
sources: 10.192.57.6/32
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
但我仍然可以從 10.192.52.50/32 主機連接到 ssh。我在這裡缺少什麼
這iptables -nvL -t filter命令告訴我有多個鏈仍然接受。不應該設定為 DROP 嗎?如果是這樣,如何將其設定為拒絕除來自主機 10.192.57.6/32 之外的所有流量
[root@centosmin firewalld]# iptables -nvL -t filter
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
459 34244 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
直接的關聯RedHat 告訴我們,為了做到這一點,我們需要設定目標。但我已經在上一步中做到了這一點,並且我仍然能夠從 10.192.52.50/32 連接,這不是預期的行為。
新增命令的請求輸出
[root@centosmin firewalld]# firewall-cmd --list-all-zones
block
target: %%REJECT%%
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
dmz
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
drop
target: DROP
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
external
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
home
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
internal
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
internet (active)
target: DROP
icmp-block-inversion: no
interfaces:
sources: 10.192.57.6/32
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
public (active)
target: default
icmp-block-inversion: no
interfaces:
sources: 10.192.57.6
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
trusted
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
work
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules: