出于安全原因,我想关闭 GCP 上虚拟机的端口 22 (ssh)。目前,如果我执行命令,telnet xx.xx.xxx.xxx 22
服务器会响应我:
Trying xx.xx.xxx.xxx...
Connected to xx.xx.xxx.xxx.
Escape character is '^]'.
SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5
我尝试正确配置与虚拟机联系的防火墙规则:从“default-allow-ssh”规则中的目标中删除“apply to all”,并创建一个名为“close-ssh”的规则,该规则拒绝与虚拟机的所有连接端口 22 自 0.0.0.0/4 起。
我通过命令验证配置sudo iptables -L
,检查是否有任何暴露端口 22 的规则:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (3 references)
target prot opt source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (3 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
执行命令时nmap -p 22 xx.xx.xxx.xxx
,我得到以下输出:
Starting Nmap 7.80 ( https://nmap.org ) at 2023-05-10 09:56 -03
Nmap scan report for xx.xx.xxx.xxx.bc.googleusercontent.com (xx.xx.xxx.xxx)
Host is up (0.32s latency).
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 0.67 seconds
答案1
防火墙规则在列表中从上到下进行处理。在您的 GCP 虚拟机中,第一条规则允许 SSH。当数据包在过滤期间匹配规则(或 ACL)时,数据包将被处理,并且不会进一步遍历列表中的其他规则。规则“close-ssh”必须放置在“default-allow-ssh”之上