我在VPS /networking服务器上运行firwalld。
public区域是active和default (我不希望改变)。 我如何只允许这两个外部IP地址访问VPS(即我在public区域定义的所有服务):
IP1: 11.22.33.44/24 IP2: 55.66.77.88/24
这些是假IP地址,并注意到它们故意不在同一个子网上 。
我想我明白为什么以下不起作用(它locking了一个或另一个IP)。
user$ sudo firewall-cmd --zone=public --permanent --add-source=11.22.33.44/24 user$ sudo firewall-cmd --zone=public --permanent --add-source=55.66.77.88/24 user$ sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="11.22.33.44/24" invert="True" drop' user$ sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="55.66.77.88/24" invert="True" drop' user$ sudo firewall-cmd --reload
我需要修改这个工作(所以它不locking一个IP或其他或两者)?
谢谢! = 🙂
编辑 :下面的第一个评论者,我也尝试了上述所有四个命令的/32位掩码。 可悲的是它没有帮助。 仍在寻找解决scheme。
我认为逻辑可能听起来像这样: if IP1 or IP2, allow it and stop processing the chain. else Continue processing the chain, where the very next rule would be to DROP. 。 就是这样
EDIT2 :发布sudo firewall-cmd --list-all-zones下面的输出。 请注意,我删除了上述所有规则,因为他们不工作。 所以下面是回到原点。
user$ sudo firewall-cmd --list-all-zones block target: %%REJECT%% icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: dmz target: default icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: drop target: DROP icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: external target: default icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: yes forward-ports: source-ports: icmp-blocks: rich rules: home target: default icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: internal target: default icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: public (active) target: default icmp-block-inversion: no interfaces: venet0:0 venet0 sources: services: ssh-vps http https ports: 8080/tcp 8080/udp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: echo-reply echo-request timestamp-reply timestamp-request rich rules: trusted target: ACCEPT icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: work target: default icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
另一个网站有很好的答案 。
所以我试图用这样的命令在testingVM上做到这一点:
firewall-cmd --zone=public --change-interface=eth0 --permanent firewall-cmd --zone=public --add-source=192.168.1.2/32 --permanent firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.2/32" invert="True" drop' --permanent
而这项工作,testing虚拟机不能从任何IP,除了只有一个。
输出为firewall-cmd --zone=public --list-all是:
public (active) target: default icmp-block-inversion: no interfaces: eth0 sources: 192.168.1.2/32 services: ssh dhcpv6-client ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv4" source NOT address="192.168.1.2/32" drop