我想仅允许特定 IP 范围的 ssh 连接。但我在 Web 控制台中找不到防火墙设置,因此我尝试了ufw。
首先我尝试封锁特定 IP 进行测试,但 ssh 连接没有被封锁。以下是诊断信息。如何让 ufw 的第一条规则起作用?
➜ ~ sudo ufw status verbose <<<
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
Anywhere DENY IN x.x.x.x
22/tcp ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
➜ ~ ss
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
u_str ESTAB 0 0 * 21064 * 21065
u_str ESTAB 0 0 * 22634 * 22683
u_str ESTAB 0 0 * 128716 * 128717
u_str ESTAB 0 0 /run/dbus/system_bus_socket 22683 * 22634
u_str ESTAB 0 0 * 128684 * 128688
u_str ESTAB 0 0 /run/dbus/system_bus_socket 22681 * 20730
u_str ESTAB 0 0 /run/systemd/journal/stdout 21065 * 21064
u_str ESTAB 0 0 /run/dbus/system_bus_socket 128717 * 128716
u_str ESTAB 0 0 * 21293 * 19446
u_str ESTAB 0 0 * 20731 * 20732
u_str ESTAB 0 0 /run/systemd/journal/stdout 20732 * 20731
u_str ESTAB 0 0 /run/systemd/journal/stdout 22275 * 22274
u_str ESTAB 0 0 /run/systemd/journal/stdout 128688 * 128684
u_str ESTAB 0 0 //tmp/plugin1uab6tlg 24325 * 24768
u_str ESTAB 0 0 * 22693 * 22694
u_str ESTAB 0 0 /run/systemd/journal/stdout 22884 * 22883
u_str ESTAB 0 0 * 22652 * 22684
u_str ESTAB 0 0 * 21376 * 19449
u_str ESTAB 0 0 /run/dbus/system_bus_socket 22684 * 22652
u_str ESTAB 0 0 * 19285 * 22678
u_str ESTAB 0 0 * 22694 * 22693
u_str ESTAB 0 0 * 22883 * 22884
u_str ESTAB 0 0 * 21453 * 19453
u_str ESTAB 0 0 * 24768 * 24325
u_str ESTAB 0 0 /run/dbus/system_bus_socket 22678 * 19285
u_str ESTAB 0 0 /run/systemd/journal/stdout 19453 * 21453
u_str ESTAB 0 0 /run/systemd/journal/stdout 19446 * 21293
u_str ESTAB 0 0 /run/systemd/journal/stdout 19449 * 21376
u_str ESTAB 0 0 /run/dbus/system_bus_socket 22908 * 22907
u_str ESTAB 0 0 * 22912 * 22913
u_str ESTAB 0 0 * 22677 * 22676
u_str ESTAB 0 0 * 20754 * 22682
u_str ESTAB 0 0 /run/dbus/system_bus_socket 22682 * 20754
u_str ESTAB 0 0 * 22676 * 22677
u_str ESTAB 0 0 * 22907 * 22908
u_str ESTAB 0 0 * 22913 * 22912
u_str ESTAB 0 0 * 20314 * 19017
u_str ESTAB 0 0 * 129399 * 129398
u_str ESTAB 0 0 /run/systemd/journal/stdout 20988 * 19439
u_str ESTAB 0 0 /run/systemd/journal/stdout 20661 * 19357
u_str ESTAB 0 0 * 20206 * 20208
u_str ESTAB 0 0 * 129277 * 0
u_str ESTAB 0 0 /run/systemd/journal/stdout 18773 * 18766
u_str ESTAB 0 0 /run/systemd/journal/stdout 16574 * 16565
u_str ESTAB 0 0 * 22274 * 22275
u_str ESTAB 0 0 /run/systemd/journal/stdout 19017 * 20314
u_str ESTAB 0 0 /run/systemd/journal/stdout 21865 * 21864
u_str ESTAB 0 0 /run/systemd/journal/stdout 20208 * 20206
u_str ESTAB 0 0 * 129398 * 129399
u_str ESTAB 0 0 * 19510 * 18771
u_str ESTAB 0 0 * 19357 * 20661
u_str ESTAB 0 0 * 20571 * 22680
u_str ESTAB 0 0 * 20570 * 22679
u_str ESTAB 0 0 /run/systemd/journal/stdout 18771 * 19510
u_str ESTAB 0 0 /run/systemd/journal/stdout 21658 * 21653
u_str ESTAB 0 0 * 18766 * 18773
u_str ESTAB 0 0 * 21864 * 21865
u_str ESTAB 0 0 * 19439 * 20988
u_str ESTAB 0 0 /run/dbus/system_bus_socket 22679 * 20570
u_str ESTAB 0 0 * 20730 * 22681
u_str ESTAB 0 0 * 21653 * 21658
u_str ESTAB 0 0 /run/dbus/system_bus_socket 22680 * 20571
u_str ESTAB 0 0 * 16565 * 16574
icmp6 UNCONN 0 0 *%ens3:ipv6-icmp *:*
tcp CLOSE-WAIT 1 0 10.0.0.3:49906 169.254.169.254:http
tcp ESTAB 0 148 10.0.0.3:ssh x.x.x.x:55290
tcp CLOSE-WAIT 1 0 10.0.0.3:49358 169.254.169.254:http
tcp CLOSE-WAIT 32 0 10.0.0.3:55582 140.204.24.145:https
tcp CLOSE-WAIT 1 0 10.0.0.3:49360 169.254.169.254:http
tcp CLOSE-WAIT 32 0 10.0.0.3:56130 140.204.24.145:https
tcp CLOSE-WAIT 1 0 10.0.0.3:49908 169.254.169.254:http
答案1
在Web控制台中,汉堡包->网络->虚拟云网络->单击VCN进行编辑->安全列表(在左侧),编辑入口规则。