生活随笔
收集整理的這篇文章主要介紹了
Linux系统firewalld防火墙的应用实操(禁止屏蔽海外国外IP访问)
小編覺得挺不錯的,現(xiàn)在分享給大家,幫大家做個參考.
文章目錄 一、前文 二、ipset知識點(diǎn) 2.1 ipset的增刪查 2.2 ipset的ip地址修改 2.3 ipset的其他查詢 三、應(yīng)用實(shí)操 3.1 下載國內(nèi)ip網(wǎng)段 3.2 新建ip集合 3.3 添加規(guī)則 3.4 有點(diǎn)耐心 四、測試驗證
一、前文
本文直接進(jìn)行Linux系統(tǒng)firewalld防火墻的應(yīng)用實(shí)操(禁止屏蔽海外國外IP訪問)
基礎(chǔ)知識請查閱:Linux系統(tǒng)firewalld防火墻的基本操作
進(jìn)階知識請查閱:Linux系統(tǒng)firewalld防火墻的進(jìn)階操作(日志保存 IP網(wǎng)段 ssh服務(wù))
應(yīng)用實(shí)操請查閱:Linux系統(tǒng)firewalld防火墻的應(yīng)用實(shí)操(對外端口開放使用,對內(nèi)端口限制ip地址使用,不使用端口默認(rèn)關(guān)閉)
應(yīng)用實(shí)操請查閱:Linux系統(tǒng)firewalld防火墻的應(yīng)用實(shí)操(禁止屏蔽海外國外IP訪問)
二、ipset知識點(diǎn)
ipset是ip地址的集合。 firewalld使用ipset可以在一條規(guī)則中處理多個ip地址,執(zhí)行效果更好,管理更方便。 firewalld的ipset會記錄到/etc/firewalld/ipsets/目錄下 2.1 ipset的增刪查
#新建一個ip集合,--type=hash:ip 指定類型為 hash:ip,不允許重復(fù)ip
firewall-cmd --permanent --new-ipset=china_ip --type=hash:ip#刪除一個ip集合
firewall-cmd --permanent --delete-ipset=china_ip#查詢所有ip集合
firewall-cmd --permanent --get-ipsets
2.2 ipset的ip地址修改
#ipset添加ip
firewall-cmd --permanent --ipset=china_ip --add-entry=121.122.123.105#從文件中添加ip到ipset
firewall-cmd --permanent --ipset=china_ip --add-entries-from-file=china_ip_list.txt#ipset刪除ip
firewall-cmd --permanent --ipset=china_ip --remove-entry=121.122.123.105#判斷ip是否存在ipset中
firewall-cmd --permanent --ipset=china_ip --query-entry=121.122.123.105firewall-cmd --reload
2.3 ipset的其他查詢
more /etc/firewalld/ipsets/china_ip.xml#打印ipset的路徑
firewall-cmd --path-ipset=china_ip --permanent#打印ipset的內(nèi)容
firewall-cmd --info-ipset=china_ip --permanent#打印ipset的所有entry
firewall-cmd --ipset=china_ip --get-entries --permanent
三、應(yīng)用實(shí)操
禁止屏蔽海外國外IP訪問有兩種方法 允許所有IP,禁止國外IP 禁止所有IP,允許國內(nèi)IP 相對而言,禁止所有IP,允許國內(nèi)IP更容易些。 因為,相比收集國內(nèi)IP集合會更加容易些。 3.1 下載國內(nèi)ip網(wǎng)段
[root@iZ2ze30dygwd6yh7gu6lskZ home]# wget https://www.isres.com/china_ip_list.txt
--2022-08-15 11:46:01-- https://www.isres.com/china_ip_list.txt
Resolving www.isres.com (www.isres.com)... 45.136.15.104
Connecting to www.isres.com (www.isres.com)|45.136.15.104|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 95267 (93K) [text/plain]
Saving to: ‘china_ip_list.txt’china_ip_list.txt 100%[==================================================================================================================>] 93.03K 419KB/s in 0.2s 2022-08-15 11:46:02 (419 KB/s) - ‘china_ip_list.txt’ saved [95267/95267]
3.2 新建ip集合
firewall-cmd --permanent --new-ipset=china_ip --type=hash:netfirewall-cmd --permanent --ipset=china_ip --add-entries-from-file=china_ip_list.txt
3.3 添加規(guī)則
firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source ipset="china_ip" port port=80 protocol=tcp accept'
firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source ipset="china_ip" port port=8080 protocol=tcp accept'
firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source ipset="china_ip" port port=443 protocol=tcp accept'
firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source ipset="china_ip" port port=8443 protocol=tcp accept'
firewall-cmd --reload
3.4 有點(diǎn)耐心
firewall處理大量IP的時候,會卡住,需要點(diǎn)耐心
ERROR:dbus.proxies:Introspect error on :1.32902:/org/fedoraproject/FirewallD1/config: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
[root@iZ2ze30dygwd6yh7gu6lskZ home]# firewall-cmd --reload
Error: COMMAND_FAILED: '/usr/sbin/nft insert rule inet firewalld raw_PREROUTING_ZONES iifname "eth0" goto raw_PRE_public' failed: Error: Could not process rule: No such file or directory
insert rule inet firewalld raw_PREROUTING_ZONES iifname "eth0" goto raw_PRE_public
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[root@iZ2ze30dygwd6yh7gu6lskZ home]# systemctl stop firewalld
[root@iZ2ze30dygwd6yh7gu6lskZ home]# yum install firewalls
CentOS-8 - AppStream 764 kB/s | 4.3 kB 00:00
CentOS-8 - Base 148 kB/s | 3.9 kB 00:00
CentOS-8 - Extras 55 kB/s | 1.5 kB 00:00
Extra Packages for Enterprise Linux 8 - x86_64 135 kB/s | 4.7 kB 00:00
No match for argument: firewalls
Error: Unable to find a match: firewalls
[root@iZ2ze30dygwd6yh7gu6lskZ home]# yum install firewalld
Last metadata expiration check: 0:00:04 ago on Wed 17 Aug 2022 12:23:38 AM CST.
Package firewalld-0.7.0-5.el8.noarch is already installed.
Dependencies resolved.
=============================================================================================================================================================================================================================================================================Package Architecture Version Repository Size
=============================================================================================================================================================================================================================================================================
Upgrading:firewalld noarch 0.9.3-7.el8 BaseOS 502 kfirewalld-filesystem noarch 0.9.3-7.el8 BaseOS 77 klibnftnl x86_64 1.1.5-4.el8 BaseOS 83 knftables x86_64 1:0.9.3-21.el8 BaseOS 321 kpython3-firewall noarch 0.9.3-7.el8 BaseOS 432 k
Installing dependencies:python3-nftables x86_64 1:0.9.3-21.el8 BaseOS 29 kTransaction Summary
=============================================================================================================================================================================================================================================================================
Install 1 Package
Upgrade 5 PackagesTotal download size: 1.4 M
Is this ok [y/N]: y
Downloading Packages:
(1/6): python3-nftables-0.9.3-21.el8.x86_64.rpm 334 kB/s | 29 kB 00:00
(2/6): firewalld-filesystem-0.9.3-7.el8.noarch.rpm 853 kB/s | 77 kB 00:00
(3/6): firewalld-0.9.3-7.el8.noarch.rpm 4.5 MB/s | 502 kB 00:00
(4/6): libnftnl-1.1.5-4.el8.x86_64.rpm 1.2 MB/s | 83 kB 00:00
(5/6): python3-firewall-0.9.3-7.el8.noarch.rpm 5.1 MB/s | 432 kB 00:00
(6/6): nftables-0.9.3-21.el8.x86_64.rpm 2.7 MB/s | 321 kB 00:00
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 6.8 MB/s | 1.4 MB 00:00
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transactionPreparing : 1/1 Running scriptlet: libnftnl-1.1.5-4.el8.x86_64 1/1 Upgrading : libnftnl-1.1.5-4.el8.x86_64 1/11 Running scriptlet: libnftnl-1.1.5-4.el8.x86_64 1/11 Upgrading : nftables-1:0.9.3-21.el8.x86_64 2/11 Running scriptlet: nftables-1:0.9.3-21.el8.x86_64 2/11 Installing : python3-nftables-1:0.9.3-21.el8.x86_64 3/11 Upgrading : python3-firewall-0.9.3-7.el8.noarch 4/11 Upgrading : firewalld-filesystem-0.9.3-7.el8.noarch 5/11 Upgrading : firewalld-0.9.3-7.el8.noarch 6/11
warning: /etc/firewalld/firewalld.conf created as /etc/firewalld/firewalld.conf.rpmnewRunning scriptlet: firewalld-0.9.3-7.el8.noarch 6/11 Running scriptlet: firewalld-0.7.0-5.el8.noarch 7/11 Cleanup : firewalld-0.7.0-5.el8.noarch 7/11 Running scriptlet: firewalld-0.7.0-5.el8.noarch 7/11 Cleanup : firewalld-filesystem-0.7.0-5.el8.noarch 8/11 Cleanup : python3-firewall-0.7.0-5.el8.noarch 9/11 Running scriptlet: nftables-1:0.9.0-14.el8.x86_64 10/11 Cleanup : nftables-1:0.9.0-14.el8.x86_64 10/11 Running scriptlet: nftables-1:0.9.0-14.el8.x86_64 10/11 Cleanup : libnftnl-1.1.1-4.el8.x86_64 11/11 Running scriptlet: libnftnl-1.1.1-4.el8.x86_64 11/11 Verifying : python3-nftables-1:0.9.3-21.el8.x86_64 1/11 Verifying : firewalld-0.9.3-7.el8.noarch 2/11 Verifying : firewalld-0.7.0-5.el8.noarch 3/11 Verifying : firewalld-filesystem-0.9.3-7.el8.noarch 4/11 Verifying : firewalld-filesystem-0.7.0-5.el8.noarch 5/11 Verifying : libnftnl-1.1.5-4.el8.x86_64 6/11 Verifying : libnftnl-1.1.1-4.el8.x86_64 7/11 Verifying : nftables-1:0.9.3-21.el8.x86_64 8/11 Verifying : nftables-1:0.9.0-14.el8.x86_64 9/11 Verifying : python3-firewall-0.9.3-7.el8.noarch 10/11 Verifying : python3-firewall-0.7.0-5.el8.noarch 11/11 Upgraded:firewalld-0.9.3-7.el8.noarch firewalld-filesystem-0.9.3-7.el8.noarch libnftnl-1.1.5-4.el8.x86_64 nftables-1:0.9.3-21.el8.x86_64 python3-firewall-0.9.3-7.el8.noarch Installed:python3-nftables-1:0.9.3-21.el8.x86_64 Complete!
四、測試驗證
搞個國外的IP測試一下~
總結(jié)
以上是生活随笔 為你收集整理的Linux系统firewalld防火墙的应用实操(禁止屏蔽海外国外IP访问) 的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
如果覺得生活随笔 網(wǎng)站內(nèi)容還不錯,歡迎將生活随笔 推薦給好友。
