我想只允许使用 firewalld 在我的 centos 7.3 服务器上的某些ip范围进行http访问。 所以这里我的firewalld规则
firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens160
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="x.x.x.x/22" port port="80" protocol="tcp" accept
rule family="ipv4" source address="192.168.209.0/24" port port="80" protocol="tcp" accept
rule family="ipv4" source address="1.2.3.4/32" port port="80" protocol="tcp" reject
rule family="ipv4" source address="0.0.0.0/0" port port="80" protocol="tcp" reject
但我仍然可以从端口80上的x.x.x.x访问,我不明白为什么
使用IP表,这里是用firewalld conf创建的
Chain IN_public_allow (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ctstate NEW
ACCEPT tcp -- x.x.x.x/22 anywhere tcp dpt:http ctstate NEW
ACCEPT tcp -- X.X.X.X/16 anywhere tcp dpt:http ctstate NEW
ACCEPT tcp -- ipgg.sdv.fr anywhere tcp dpt:http ctstate NEW
ACCEPT tcp -- x.x.x.x/24 anywhere tcp dpt:http ctstate NEW
ACCEPT tcp -- x.x.x.x/24 anywhere tcp dpt:http ctstate NEW
Chain IN_public_deny (1 references)
target prot opt source destination
REJECT tcp -- ns3098611.ip-94-23-44.eu anywhere tcp dpt:http ctstate NEW reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:http ctstate NEW reject-with icmp-port-unreachable
但似乎从未考虑过。 相反,我认为首先应用此规则
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
我从零开始,这是我的历史
1208服务码头停止 1209 sudo iptables -P INPUT ACCEPT 1210 sudo iptables -P FORWARD ACCEPT 1211 sudo iptables -P OUTPUT ACCEPT 1214 iptables -F 1215 iptables -X 1216 iptables -L 1217服务码头启动 1221 firewall-cmd --list-all
我只看到通过Chain INPUT的交通
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
513 38048 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
2698 382K INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
2698 382K INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
2698 382K INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
3 132 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
2691 382K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
答案 0 :(得分:0)
您的默认策略是ACCEPT,因此除非有丢弃或拒绝规则,否则将接受所有内容。但是,更重要的是,您的第一条规则似乎特别允许从x.x.x.x到端口80的流量?
您也可以检查ipv6,所有规则都是针对ipv4的,所以如果ipv6处于活动状态,它可能是敞开的。