我在用着Ubuntu 14.04.3 LTS
root@alexus:~# ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
2376/tcp ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
2376/tcp (v6) ALLOW IN Anywhere (v6)
root@alexus:~#
我使用以下规则允许从特定 IP 到端口 9150 的通信:
root@alexus:~# ufw allow proto tcp from Y.Y.Y.Y to any port 9150
Rule added
root@alexus:~#
但是,我可以从远程主机连接到端口 9150:
[alexus@wcmisdlin02 Desktop]$ nmap -v X.X.X.X -p 9150 -P0
Starting Nmap 6.40 ( http://nmap.org ) at 2015-09-28 10:45 EDT
Initiating Parallel DNS resolution of 1 host. at 10:45
Completed Parallel DNS resolution of 1 host. at 10:45, 0.10s elapsed
Initiating Connect Scan at 10:45
Scanning X.X.X.X [1 port]
Discovered open port 9150/tcp on X.X.X.X
Completed Connect Scan at 10:45, 0.11s elapsed (1 total ports)
Nmap scan report for X.X.X.X
Host is up (0.11s latency).
PORT STATE SERVICE
9150/tcp open unknown
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds
[alexus@wcmisdlin02 Desktop]$
如何配置ufw
以仅允许从特定 IP 地址/范围连接到端口 9150,而不允许从其他 IP 地址/范围连接到端口 9150?
* 更新 *
root@alexus:~# ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
2376/tcp ALLOW IN Anywhere
9150/tcp ALLOW IN Y.Y.Y.Y
9150/tcp DENY IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
2376/tcp (v6) ALLOW IN Anywhere (v6)
9150/tcp (v6) DENY IN Anywhere (v6)
root@alexus:~#
答案1
删除以下规则后:
22/tcp (v6) 允许任何地方 (v6)
ufw
开始 netfilter。