我正在使用 CentOS Linux 版本 7.9.2009 的最小安装和防火墙。
[root@centosmin firewalld]# uname -a
Linux centosmin 3.10.0-1160.6.1.el7.x86_64 #1 SMP Tue Nov 17 13:59:11 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
还有类似的问题,例如这里 但那里的所有响应都不起作用。我想在不使用到达规则的情况下做到这一点。
目标是仅允许来自互联网上的一个特定 IP 地址的 ssh。为了模拟此行为,我设置了一个实验室,其中有 3 台机器位于不同的 VLAN,并在我的内部网络中设置了它们之间的路由。
在这种情况下,服务器是
10.192.210.10/24
和两个 ssh 客户端:
10.192.52.50/24
10.192.57.6/24
现在我已经创建了自己的面向互联网的区域,并使用命令将其设为默认区域
//create new zone called internet
firewall-cmd --permanent --new-zone=internet
// add the only ip address that should be able to connect to ssh
firewall-cmd --zone=internet --add-source=10.192.57.6/32
firewall-cmd --zone=internet --add-service=ssh
// here i make sure that i manually add the interface if it is not already add it and then remove it
firewall-cmd --zone=internet –add-interface=ens3
firewall-cmd --zone=internet --remove-interface=ens3
firewall-cmd --zone=internet --set-target=DROP
firewall-cmd --set-default-zone=internet
// save the current runtime to premanent rules
firewall-cmd --runtime-to-permanent
firewall-cmd --reload
之后我唯一的一个网络接口看起来像
[root@centosmin firewalld]# firewall-cmd --list-all
internet (active)
target: DROP
icmp-block-inversion: no
interfaces:
sources: 10.192.57.6/32
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
但是我仍然能够从 10.192.52.50/32 主机连接到 ssh。我在这里缺少什么
这iptables -nvL -t filter命令告诉我还有多个链仍在接受。难道不应该将其设置为 DROP 吗?如果是,如何将其设置为拒绝除主机 10.192.57.6/32 之外的所有流量
[root@centosmin firewalld]# iptables -nvL -t filter
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
459 34244 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
直接关联RedHat 告诉我们,为了做到这一点,我们需要设置目标。但我在上一步中已经这样做了,但我仍然能够从 10.192.52.50/32 进行连接,这不是预期的行为。
添加命令的请求输出
[root@centosmin firewalld]# firewall-cmd --list-all-zones
block
target: %%REJECT%%
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
dmz
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
drop
target: DROP
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
external
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
home
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
internal
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
internet (active)
target: DROP
icmp-block-inversion: no
interfaces:
sources: 10.192.57.6/32
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
public (active)
target: default
icmp-block-inversion: no
interfaces:
sources: 10.192.57.6
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
trusted
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
work
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules: