Linux系统firewalld防火墙的应用实操(禁止屏蔽海外国外IP访问) 男娘i 2023-10-07 19:29 14阅读 0赞 #### 文章目录 #### * 一、前文 * 二、ipset知识点 * * 2.1 ipset的增删查 * 2.2 ipset的ip地址修改 * 2.3 ipset的其他查询 * 三、应用实操 * * 3.1 下载国内ip网段 * 3.2 新建ip集合 * 3.3 添加规则 * 3.4 有点耐心 * 四、测试验证 ## 一、前文 ## > * 本文直接进行Linux系统firewalld防火墙的应用实操(禁止屏蔽海外国外IP访问) > * 基础知识请查阅:[Linux系统firewalld防火墙的基本操作][Linux_firewalld] > * 进阶知识请查阅:[Linux系统firewalld防火墙的进阶操作(日志保存 IP网段 ssh服务)][Linux_firewalld_ IP_ ssh] > * 应用实操请查阅:[Linux系统firewalld防火墙的应用实操(对外端口开放使用,对内端口限制ip地址使用,不使用端口默认关闭)][Linux_firewalld_ip] > * 应用实操请查阅:[Linux系统firewalld防火墙的应用实操(禁止屏蔽海外国外IP访问)][Linux_firewalld_IP] ## 二、ipset知识点 ## * ipset是ip地址的集合。 * firewalld使用ipset可以在一条规则中处理多个ip地址,执行效果更好,管理更方便。 * firewalld的ipset会记录到/etc/firewalld/ipsets/目录下 ### 2.1 ipset的增删查 ### #新建一个ip集合,--type=hash:ip 指定类型为 hash:ip,不允许重复ip firewall-cmd --permanent --new-ipset=china_ip --type=hash:ip #删除一个ip集合 firewall-cmd --permanent --delete-ipset=china_ip #查询所有ip集合 firewall-cmd --permanent --get-ipsets ### 2.2 ipset的ip地址修改 ### #ipset添加ip firewall-cmd --permanent --ipset=china_ip --add-entry=121.122.123.105 #从文件中添加ip到ipset firewall-cmd --permanent --ipset=china_ip --add-entries-from-file=china_ip_list.txt #ipset删除ip firewall-cmd --permanent --ipset=china_ip --remove-entry=121.122.123.105 #判断ip是否存在ipset中 firewall-cmd --permanent --ipset=china_ip --query-entry=121.122.123.105 firewall-cmd --reload ### 2.3 ipset的其他查询 ### more /etc/firewalld/ipsets/china_ip.xml #打印ipset的路径 firewall-cmd --path-ipset=china_ip --permanent #打印ipset的内容 firewall-cmd --info-ipset=china_ip --permanent #打印ipset的所有entry firewall-cmd --ipset=china_ip --get-entries --permanent ## 三、应用实操 ## * 禁止屏蔽海外国外IP访问有两种方法 * 允许所有IP,禁止国外IP * 禁止所有IP,允许国内IP * 相对而言,禁止所有IP,允许国内IP更容易些。 * 因为,相比收集国内IP集合会更加容易些。 ### 3.1 下载国内ip网段 ### [root@iZ2ze30dygwd6yh7gu6lskZ home]# wget https://www.isres.com/china_ip_list.txt --2022-08-15 11:46:01-- https://www.isres.com/china_ip_list.txt Resolving www.isres.com (www.isres.com)... 45.136.15.104 Connecting to www.isres.com (www.isres.com)|45.136.15.104|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 95267 (93K) [text/plain] Saving to: ‘china_ip_list.txt’ china_ip_list.txt 100%[==================================================================================================================>] 93.03K 419KB/s in 0.2s 2022-08-15 11:46:02 (419 KB/s) - ‘china_ip_list.txt’ saved [95267/95267] ### 3.2 新建ip集合 ### firewall-cmd --permanent --new-ipset=china_ip --type=hash:net firewall-cmd --permanent --ipset=china_ip --add-entries-from-file=china_ip_list.txt ### 3.3 添加规则 ### firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source ipset="china_ip" port port=80 protocol=tcp accept' firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source ipset="china_ip" port port=8080 protocol=tcp accept' firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source ipset="china_ip" port port=443 protocol=tcp accept' firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source ipset="china_ip" port port=8443 protocol=tcp accept' firewall-cmd --reload ### 3.4 有点耐心 ### * firewall处理大量IP的时候,会卡住,需要点耐心 ERROR:dbus.proxies:Introspect error on :1.32902:/org/fedoraproject/FirewallD1/config: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken. * 如果遇到报错,那就升级下firewalld试试 [root@iZ2ze30dygwd6yh7gu6lskZ home]# firewall-cmd --reload Error: COMMAND_FAILED: '/usr/sbin/nft insert rule inet firewalld raw_PREROUTING_ZONES iifname "eth0" goto raw_PRE_public' failed: Error: Could not process rule: No such file or directory insert rule inet firewalld raw_PREROUTING_ZONES iifname "eth0" goto raw_PRE_public ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ [root@iZ2ze30dygwd6yh7gu6lskZ home]# systemctl stop firewalld [root@iZ2ze30dygwd6yh7gu6lskZ home]# yum install firewalls CentOS-8 - AppStream 764 kB/s | 4.3 kB 00:00 CentOS-8 - Base 148 kB/s | 3.9 kB 00:00 CentOS-8 - Extras 55 kB/s | 1.5 kB 00:00 Extra Packages for Enterprise Linux 8 - x86_64 135 kB/s | 4.7 kB 00:00 No match for argument: firewalls Error: Unable to find a match: firewalls [root@iZ2ze30dygwd6yh7gu6lskZ home]# yum install firewalld Last metadata expiration check: 0:00:04 ago on Wed 17 Aug 2022 12:23:38 AM CST. Package firewalld-0.7.0-5.el8.noarch is already installed. Dependencies resolved. ============================================================================================================================================================================================================================================================================= Package Architecture Version Repository Size ============================================================================================================================================================================================================================================================================= Upgrading: firewalld noarch 0.9.3-7.el8 BaseOS 502 k firewalld-filesystem noarch 0.9.3-7.el8 BaseOS 77 k libnftnl x86_64 1.1.5-4.el8 BaseOS 83 k nftables x86_64 1:0.9.3-21.el8 BaseOS 321 k python3-firewall noarch 0.9.3-7.el8 BaseOS 432 k Installing dependencies: python3-nftables x86_64 1:0.9.3-21.el8 BaseOS 29 k Transaction Summary ============================================================================================================================================================================================================================================================================= Install 1 Package Upgrade 5 Packages Total download size: 1.4 M Is this ok [y/N]: y Downloading Packages: (1/6): python3-nftables-0.9.3-21.el8.x86_64.rpm 334 kB/s | 29 kB 00:00 (2/6): firewalld-filesystem-0.9.3-7.el8.noarch.rpm 853 kB/s | 77 kB 00:00 (3/6): firewalld-0.9.3-7.el8.noarch.rpm 4.5 MB/s | 502 kB 00:00 (4/6): libnftnl-1.1.5-4.el8.x86_64.rpm 1.2 MB/s | 83 kB 00:00 (5/6): python3-firewall-0.9.3-7.el8.noarch.rpm 5.1 MB/s | 432 kB 00:00 (6/6): nftables-0.9.3-21.el8.x86_64.rpm 2.7 MB/s | 321 kB 00:00 ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 6.8 MB/s | 1.4 MB 00:00 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Running scriptlet: libnftnl-1.1.5-4.el8.x86_64 1/1 Upgrading : libnftnl-1.1.5-4.el8.x86_64 1/11 Running scriptlet: libnftnl-1.1.5-4.el8.x86_64 1/11 Upgrading : nftables-1:0.9.3-21.el8.x86_64 2/11 Running scriptlet: nftables-1:0.9.3-21.el8.x86_64 2/11 Installing : python3-nftables-1:0.9.3-21.el8.x86_64 3/11 Upgrading : python3-firewall-0.9.3-7.el8.noarch 4/11 Upgrading : firewalld-filesystem-0.9.3-7.el8.noarch 5/11 Upgrading : firewalld-0.9.3-7.el8.noarch 6/11 warning: /etc/firewalld/firewalld.conf created as /etc/firewalld/firewalld.conf.rpmnew Running scriptlet: firewalld-0.9.3-7.el8.noarch 6/11 Running scriptlet: firewalld-0.7.0-5.el8.noarch 7/11 Cleanup : firewalld-0.7.0-5.el8.noarch 7/11 Running scriptlet: firewalld-0.7.0-5.el8.noarch 7/11 Cleanup : firewalld-filesystem-0.7.0-5.el8.noarch 8/11 Cleanup : python3-firewall-0.7.0-5.el8.noarch 9/11 Running scriptlet: nftables-1:0.9.0-14.el8.x86_64 10/11 Cleanup : nftables-1:0.9.0-14.el8.x86_64 10/11 Running scriptlet: nftables-1:0.9.0-14.el8.x86_64 10/11 Cleanup : libnftnl-1.1.1-4.el8.x86_64 11/11 Running scriptlet: libnftnl-1.1.1-4.el8.x86_64 11/11 Verifying : python3-nftables-1:0.9.3-21.el8.x86_64 1/11 Verifying : firewalld-0.9.3-7.el8.noarch 2/11 Verifying : firewalld-0.7.0-5.el8.noarch 3/11 Verifying : firewalld-filesystem-0.9.3-7.el8.noarch 4/11 Verifying : firewalld-filesystem-0.7.0-5.el8.noarch 5/11 Verifying : libnftnl-1.1.5-4.el8.x86_64 6/11 Verifying : libnftnl-1.1.1-4.el8.x86_64 7/11 Verifying : nftables-1:0.9.3-21.el8.x86_64 8/11 Verifying : nftables-1:0.9.0-14.el8.x86_64 9/11 Verifying : python3-firewall-0.9.3-7.el8.noarch 10/11 Verifying : python3-firewall-0.7.0-5.el8.noarch 11/11 Upgraded: firewalld-0.9.3-7.el8.noarch firewalld-filesystem-0.9.3-7.el8.noarch libnftnl-1.1.5-4.el8.x86_64 nftables-1:0.9.3-21.el8.x86_64 python3-firewall-0.9.3-7.el8.noarch Installed: python3-nftables-1:0.9.3-21.el8.x86_64 Complete! ## 四、测试验证 ## 搞个国外的IP测试一下~ [Linux_firewalld]: https://blog.csdn.net/kangweijian/article/details/126325809 [Linux_firewalld_ IP_ ssh]: https://blog.csdn.net/kangweijian/article/details/126347125 [Linux_firewalld_ip]: https://blog.csdn.net/kangweijian/article/details/126336737 [Linux_firewalld_IP]: https://blog.csdn.net/kangweijian/article/details/126342726
还没有评论,来说两句吧...