-1

我想只允许在我的centos 7.3服务器上使用firewalld访问某些 IP 范围。所以这里是我的防火墙规则

firewall-cmd  --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens160
  sources:
  services: dhcpv6-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  sourceports:
  icmp-blocks:
  rich rules:
        rule family="ipv4" source address="x.x.x.x/22" port port="80" protocol="tcp" accept
        rule family="ipv4" source address="192.168.209.0/24" port port="80" protocol="tcp" accept
        rule family="ipv4" source address="1.2.3.4/32" port port="80" protocol="tcp" reject
        rule family="ipv4" source address="0.0.0.0/0" port port="80" protocol="tcp" reject

但是我仍然可以从端口 80 上的 xxxx 访问,但我不明白为什么

使用 IP 表,这里是用我的 firewalld conf 创建的

Chain IN_public_allow (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate NEW
ACCEPT     tcp  --  x.x.x.x/22      anywhere             tcp dpt:http ctstate NEW
ACCEPT     tcp  --  X.X.X.X/16        anywhere             tcp dpt:http ctstate NEW
ACCEPT     tcp  --  ipgg.sdv.fr          anywhere             tcp dpt:http ctstate NEW
ACCEPT     tcp  --  x.x.x.x/24       anywhere             tcp dpt:http ctstate NEW
ACCEPT     tcp  --  x.x.x.x/24     anywhere             tcp dpt:http ctstate NEW

Chain IN_public_deny (1 references)
target     prot opt source               destination
REJECT     tcp  --  ns3098611.ip-94-23-44.eu  anywhere             tcp dpt:http ctstate NEW reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere             tcp dpt:http ctstate NEW reject-with icmp-port-unreachable

但似乎从来没有考虑过。相反,我认为这条规则首先适用

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere

我从头开始,这里是我的历史

1208 service docker stop 1209 sudo iptables -P INPUT ACCEPT 1210 sudo iptables -P FORWARD ACCEPT 1211 sudo iptables -P OUTPUT ACCEPT 1214 iptables -F 1215 iptables -X 1216 iptables -L 1217 service docker start 1221 firewall-cmd --list-all

我只看到通过 Chain INPUT 的流量

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  513 38048 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
 2698  382K INPUT_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 2698  382K INPUT_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 2698  382K INPUT_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    3   132 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
 2691  382K REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
4

1 回答 1

0

您的默认策略是接受,因此除非有丢弃或拒绝规则,否则一切都会被接受。但是,更重要的是,您的第一条规则似乎专门允许从 xxxx 到端口 80 的流量?

你也可以检查 ipv6,你所有的规则都是针对 ipv4 的,所以如果 ipv6 处于活动状态,它可能是敞开的。

于 2017-01-04T13:53:52.253 回答