CentOS 防火墙 cmd 脚本仅允许来自源中列出的 IP 的访问

tag-icon tag-icon centos firewalld centos8 firewall-cmd
CentOS 防火墙 cmd 脚本仅允许来自源中列出的 IP 的访问

我使用此脚本设置防火墙。我预期只能从一个 IP 进行 ssh 访问,但测试后发现并非如此。缺少什么?

#!/bin/bash
#
# Reset to initial install of firewalld
#
rm -f /etc/firewalld/zones/*
firewall-cmd --complete-reload
firewall-cmd --runtime-to-permanent
firewall-cmd --reload
#
# Create / Setup custom zone
#
firewall-cmd --new-zone calzone --permanent
firewall-cmd --reload
firewall-cmd --zone=calzone --add-service={ssh,dhcpv6-client}
firewall-cmd --zone=calzone --add-source=10.0.0.177
firewall-cmd --change-interface enp1s0 --zone calzone --permanent
firewall-cmd --runtime-to-permanent
firewall-cmd --reload

当我运行:firewall-cmd --get-active-zones 我得到以下内容

calzone
  interfaces: enp1s0
  sources: 10.0.0.177

据我了解,设置接口会先将所有流量从该接口引导到该区域,并且由于源中有条目,因此流量将仅限于这些 IP。提前谢谢。

为了回应 Nasir 的评论,此命令firewall-cmd --list-all-zones | sed -n '/calzone/,/rich/p' 生成:

calzone (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp1s0
  sources: 10.0.0.177
  services: dhcpv6-client ssh
  ports:
  protocols:
  forward: no
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

我还重新启动了守护进程firewalld,可以从10.0.0.188进行ssh,我预计只能从10.0.0.177进行访问

答案1

经过几个小时阅读 RedHat 防火墙文档并坚持编写脚本,我终于获得了我想要的行为。但是,我并不是 100% 有信心,因为我仍然不清楚为什么设置接口不起作用。但是这个脚本似乎有效。我使用了现有的工作区,当我向其中添加源时,它似乎变为活动状态。

#!/bin/bash
#
# Reset to initial install of firewalld
#
rm -f /etc/firewalld/zones/*
firewall-cmd --complete-reload
firewall-cmd --runtime-to-permanent
firewall-cmd --reload
systemctl restart firewalld
systemctl status firewalld
#
# Remove the services from all zones
#  
# iterate through the default zones
for zone in drop block public external dmz work home internal trusted
do
# iterate through default services
    for srv in $(firewall-cmd --list-services --zone=$zone)
    do
      echo "Removing service $srv from $zone"
      firewall-cmd --zone=$zone --remove-service=$srv
      firewall-cmd --zone=$zone --remove-service=$srv --permanent
    done
done
#
# Drop all public traffic?
# Allow work zone to see ssh from host
#
firewall-cmd --zone=public --set-target=DROP --permanent
firewall-cmd --zone=work --add-source=10.0.0.177 --permanent
firewall-cmd --zone=work --add-service=ssh --permanent
firewall-cmd --runtime-to-permanent
firewall-cmd --reload
systemctl restart firewalld
systemctl status firewalld

相关内容