Firewalld 仅允许从一个预定义的 IP 主机或 AS 编号网络进行 ssh 操作

Firewalld 仅允许从一个预定义的 IP 主机或 AS 编号网络进行 ssh 操作

我正在使用 CentOS Linux 版本 7.9.2009 的最小安装和防火墙。

[root@centosmin firewalld]# uname -a
Linux centosmin 3.10.0-1160.6.1.el7.x86_64 #1 SMP Tue Nov 17 13:59:11 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

还有类似的问题,例如这里 但那里的所有响应都不起作用。我想在不使用到达规则的情况下做到这一点。

目标是仅允许来自互联网上的一个特定 IP 地址的 ssh。为了模拟此行为,我设置了一个实验室,其中有 3 台机器位于不同的 VLAN,并在我的内部网络中设置了它们之间的路由。

在这种情况下,服务器是

10.192.210.10/24 

和两个 ssh 客户端:

10.192.52.50/24
10.192.57.6/24

现在我已经创建了自己的面向互联网的区域,并使用命令将其设为默认区域

//create new zone called internet
firewall-cmd  --permanent --new-zone=internet

// add the only ip address that should be able to connect to ssh
firewall-cmd --zone=internet --add-source=10.192.57.6/32

firewall-cmd --zone=internet --add-service=ssh

// here i make sure that i manually add the interface if it is not already add it and then remove it
firewall-cmd --zone=internet –add-interface=ens3
firewall-cmd --zone=internet --remove-interface=ens3


firewall-cmd --zone=internet --set-target=DROP
firewall-cmd --set-default-zone=internet

// save the current runtime to premanent rules
firewall-cmd --runtime-to-permanent

firewall-cmd --reload 

之后我唯一的一个网络接口看起来像

[root@centosmin firewalld]# firewall-cmd --list-all 
internet (active) 
 target: DROP 
 icmp-block-inversion: no 
 interfaces:  
 sources: 10.192.57.6/32 
 services: ssh 
 ports:  
 protocols:  
 masquerade: no 
 forward-ports:  
 source-ports:  
 icmp-blocks:  
 rich rules: 

但是我仍然能够从 10.192.52.50/32 主机连接到 ssh。我在这里缺少什么

iptables -nvL -t filter命令告诉我还有多个链仍在接受。难道不应该将其设置为 DROP 吗?如果是,如何将其设置为拒绝除主机 10.192.57.6/32 之外的所有流量

[root@centosmin firewalld]# iptables -nvL -t filter 
Chain INPUT (policy ACCEPT 0 packets, 0 bytes) 
pkts bytes target     prot opt in     out     source               destination          
 459 34244 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED 
   0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            
   0     0 INPUT_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0            
   0     0 INPUT_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0            
   0     0 INPUT_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0            
   0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID 
   0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

直接关联RedHat 告诉我们,为了做到这一点,我们需要设置目标。但我在上一步中已经这样做了,但我仍然能够从 10.192.52.50/32 进行连接,这不是预期的行为。

添加命令的请求输出

[root@centosmin firewalld]# firewall-cmd --list-all-zones
block
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


dmz
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


drop
  target: DROP
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


external
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh
  ports: 
  protocols: 
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


home
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client mdns samba-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


internal
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client mdns samba-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


internet (active)
  target: DROP
  icmp-block-inversion: no
  interfaces: 
  sources: 10.192.57.6/32
  services: ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


public (active)
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 10.192.57.6
  services: ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


trusted
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


work
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

相关内容