在centos 7.3

时间:2017-01-04 13:40:24

标签: iptables centos7 firewalld

我想只允许使用 firewalld 在我的 centos 7.3 服务器上的某些ip范围进行http访问。 所以这里我的firewalld规则

firewall-cmd  --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens160
  sources:
  services: dhcpv6-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  sourceports:
  icmp-blocks:
  rich rules:
        rule family="ipv4" source address="x.x.x.x/22" port port="80" protocol="tcp" accept
        rule family="ipv4" source address="192.168.209.0/24" port port="80" protocol="tcp" accept
        rule family="ipv4" source address="1.2.3.4/32" port port="80" protocol="tcp" reject
        rule family="ipv4" source address="0.0.0.0/0" port port="80" protocol="tcp" reject

但我仍然可以从端口80上的x.x.x.x访问,我不明白为什么

使用IP表,这里是用firewalld conf创建的

Chain IN_public_allow (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate NEW
ACCEPT     tcp  --  x.x.x.x/22      anywhere             tcp dpt:http ctstate NEW
ACCEPT     tcp  --  X.X.X.X/16        anywhere             tcp dpt:http ctstate NEW
ACCEPT     tcp  --  ipgg.sdv.fr          anywhere             tcp dpt:http ctstate NEW
ACCEPT     tcp  --  x.x.x.x/24       anywhere             tcp dpt:http ctstate NEW
ACCEPT     tcp  --  x.x.x.x/24     anywhere             tcp dpt:http ctstate NEW

Chain IN_public_deny (1 references)
target     prot opt source               destination
REJECT     tcp  --  ns3098611.ip-94-23-44.eu  anywhere             tcp dpt:http ctstate NEW reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere             tcp dpt:http ctstate NEW reject-with icmp-port-unreachable

但似乎从未考虑过。 相反,我认为首先应用此规则

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere

我从零开始,这是我的历史

1208服务码头停止  1209 sudo iptables -P INPUT ACCEPT  1210 sudo iptables -P FORWARD ACCEPT  1211 sudo iptables -P OUTPUT ACCEPT  1214 iptables -F  1215 iptables -X  1216 iptables -L  1217服务码头启动  1221 firewall-cmd --list-all

我只看到通过Chain INPUT的交通

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  513 38048 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
 2698  382K INPUT_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 2698  382K INPUT_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 2698  382K INPUT_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    3   132 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
 2691  382K REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

1 个答案:

答案 0 :(得分:0)

您的默认策略是ACCEPT,因此除非有丢弃或拒绝规则,否则将接受所有内容。但是,更重要的是,您的第一条规则似乎特别允许从x.x.x.x到端口80的流量?

您也可以检查ipv6,所有规则都是针对ipv4的,所以如果ipv6处于活动状态,它可能是敞开的。