我在 VPS / web 服务器上运行 firwalld。
该public区域是active和default(我不想改变这一点)。我如何允许仅有的这两个外部 IP 地址用于访问 VPS(即我在区域中定义的所有服务public):
IP1: 11.22.33.44/24
IP2: 55.66.77.88/24
这些都是虚假 IP 地址并注意到他们是故意不在同一子网。
我想我明白为什么下面的方法不起作用(它锁定了一个或另一个IP)。
user$ sudo firewall-cmd --zone=public --permanent --add-source=11.22.33.44/24
user$ sudo firewall-cmd --zone=public --permanent --add-source=55.66.77.88/24
user$ sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="11.22.33.44/24" invert="True" drop'
user$ sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="55.66.77.88/24" invert="True" drop'
user$ sudo firewall-cmd --reload
我需要修改什么才能使其正常工作(以便它不会锁定一个 IP 或另一个或两个 IP)?
谢谢!=:)
编辑:根据下面第一位评论者的说法,我也尝试了/32上述所有四个命令的位掩码。遗憾的是,它没有帮助。仍在寻找解决方案。
我认为逻辑可能听起来像这样:if IP1 or IP2, allow it and stop processing the chain.else Continue processing the chain, where the very next rule would be to DROP.。类似这样的。
编辑2:发布以下输出sudo firewall-cmd --list-all-zones。请注意,我删除了上面提到的所有规则,因为它们不起作用。因此,下面的内容又回到了原点。
user$ sudo firewall-cmd --list-all-zones
block
target: %%REJECT%%
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
dmz
target: default
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
drop
target: DROP
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
external
target: default
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
home
target: default
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
internal
target: default
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
public (active)
target: default
icmp-block-inversion: no
interfaces: venet0:0 venet0
sources:
services: ssh-vps http https
ports: 8080/tcp 8080/udp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks: echo-reply echo-request timestamp-reply timestamp-request
rich rules:
trusted
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
work
target: default
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
答案1
有好答案在另一个网站上。
因此我尝试在测试虚拟机上使用以下命令执行此操作:
firewall-cmd --zone=public --change-interface=eth0 --permanent
firewall-cmd --zone=public --add-source=192.168.1.2/32 --permanent
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.2/32" invert="True" drop' --permanent
并且这个工作,测试虚拟机不能从除一个之外的任何IP访问。
的输出为firewall-cmd --zone=public --list-all:
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources: 192.168.1.2/32
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source NOT address="192.168.1.2/32" drop
答案2
我不认为 Tolkachev 的回答解决了 OP 的问题。OP 需要加入白名单两个不同的地址。
我们可以使用 ipset 将多个地址组合在一起。
firewall-cmd --permanent --new-ipset=myipset --type=hash:ip
firewall-cmd --permanent --ipset=myipset --add-entry=192.168.31.54
firewall-cmd --permanent --ipset=myipset --add-entry=192.168.31.56
firewall-cmd --permanent --zone=trusted --add-rich-rule='rule family=ipv4 source ipset="myipset" invert="true" protocol=tcp reject’
firewall-cmd --reload