如何使用firewalld记录拒绝连接到特定端口?

时间:2015-02-06 11:36:48

标签: linux networking firewall centos7

在我的新CentOS7盒子上,我试图使用' new' firewalld,但我无法记录掉线连接尝试。 有人知道这个伎俩吗?

我试过了:

firewall-cmd --zone=public --remove-service=ssh
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="10.1.2.0/24" port port="22" protocol="tcp" log prefix="SSH-ALLOW_" accept'
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="10.3.4.0/24" port port="22" protocol="tcp" log prefix="SSH-ALLOW_" accept'
[here comes a VERY VERY long list of similar entries]

现在的问题是:如何为来自不允许的IP的连接尝试指定日志条目? 像非工作的东西:

firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="NOT-ONE-OF-THE-ABOVE" port port="22" protocol="tcp" log prefix="SSH-DENY_" drop'

有什么想法吗?

2 个答案:

答案 0 :(得分:0)

Almost. In both cases, invert address parameter.

For your example including the two shown subnets, change your original: 

firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="NOT-ONE-OF-THE-ABOVE" port port="22" protocol="tcp" log prefix="SSH-DENY_" drop'

To these: 

firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="10.1.2.0/24" invert=true port port="22" protocol="tcp" log prefix="SSH-DENY_" drop'
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="10.3.4.0/24" invert=true port port="22" protocol="tcp" log prefix="SSH-DENY_" drop'

This results in the following IP table rules being created by firewalld:

# iptables -S | grep _public_log
-A IN_public -j IN_public_log
-A IN_public_log ! -s 10.1.2.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j LOG --log-prefix SSH-DENY_
-A IN_public_log ! -s 10.3.4.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j LOG --log-prefix SSH-DENY_

The difference between the two rules in iptables speak is the '!' representing the logical operator "Not". Your original rule to iptables:

-A IN_public_deny -s 10.1.2.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j DROP
-A IN_public_log -s 10.1.2.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j LOG --log-prefix SSH-DENY_

HTH.

答案 1 :(得分:0)

我知道这是一篇过时的帖子,我的解决方案没有直接解决特定端口的日志记录问题,但我一直在使用firewalld搜索日志记录。有许多旧帖子和博客试图解决这个问题。

对于公众而言,Red Hat的更新应该比订阅者更多:

从Errata RHSA-2016升级到firewalld-0.4.3.2-8.el7:2597

指定应记录哪些数据包

firewall-cmd --set-log-denied = 值可以是以下之一:all,unicast,broadcast,multicast,off

来源:https://access.redhat.com/solutions/1191593

相关问题
最新问题