我正在使用以下内容:
# cat /etc/redhat-release
CentOS Linux release 7.1.1503 (Core)
# rpm -q firewalld
firewalld-0.3.9-11.el7.noarch
#
我正在尝试阻止特定 IP 地址 (10.52.208.220) 从我的系统访问它,但无法做到:
前:
# firewall-cmd --reload
success
# firewall-cmd --list-all
public (default, active)
interfaces: eno1
sources:
services: dhcpv6-client high-availability http https ssh
ports: 5666/tcp 3306/tcp 5900/tcp 9001/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
# ping -c1 wcmisdlin01
PING wcmisdlin01.uftmasterad.org (10.52.208.220) 56(84) bytes of data.
64 bytes from wcmisdlin01.uftmasterad.org (10.52.208.220): icmp_seq=1 ttl=64 time=0.379 ms
--- wcmisdlin01.uftmasterad.org ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.379/0.379/0.379/0.000 ms
#
后:
# firewall-cmd --add-rich-rule='rule family="ipv4" destination address="10.52.208.220" protocol value="icmp" reject'
success
# firewall-cmd --list-all
public (default, active)
interfaces: eno1
sources:
services: dhcpv6-client high-availability http https ssh
ports: 5666/tcp 3306/tcp 5900/tcp 9001/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
rule family="ipv4" destination address="10.52.208.220" protocol value="icmp" reject
# ping -c1 wcmisdlin01
PING wcmisdlin01.uftmasterad.org (10.52.208.220) 56(84) bytes of data.
64 bytes from wcmisdlin01.uftmasterad.org (10.52.208.220): icmp_seq=1 ttl=64 time=0.266 ms
--- wcmisdlin01.uftmasterad.org ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.266/0.266/0.266/0.000 ms
#
IPTABLES(8) - iptables/ip6tables — administration tool for IPv4/IPv6 packet filtering and NAT
# iptables --list IN_public_deny
Chain IN_public_deny (1 references)
target prot opt source destination
REJECT icmp -- anywhere wcmisdlin01.uftmasterad.org ctstate NEW reject-with icmp-port-unreachable
#
我究竟做错了什么?
答案1
检查完整iptables -n --list
输出后,IN_public_deny
(最终)会从INPUT
链中调用,这与从系统发送到未被拒绝的主机的数据包无关;这些数据包而是通过链进行路由OUTPUT
(或者,FORWARD
如果防火墙是源和目标之间的路由器或网桥,则可能是这样)。firewalld.richlanguage(5)
似乎没有提供任何方法来指定规则必须进入OUTPUT
(或FORWARD
)链,因此直接规则的“最后手段”选项似乎是一种解决方案。
firewall-cmd --direct --add-rule ipv4 filter OUTPUT_direct 0 -p icmp -d 10.52.208.220 -j REJECT --reject-with icmp-host-prohibited
(虽然我通常更喜欢 DROP(并且可能使用速率限制进行 LOG)而不是发送 ICMP 拒绝,因为如果要被阻止的主机发疯了,将 ICMP 响应数据包扔回到负担沉重的网络上会使事情变得越来越糟...)