文章目录
一、前文
二、ipset知识点
2.1 ipset的增删查
2.2 ipset的ip地址修改
2.3 ipset的其他查询
三、应用实操
3.1 下载国内ip网段
3.2 新建ip集合
3.3 添加规则
3.4 有点耐心
四、测试验证
一、前文
本文直接进行Linux系统firewalld防火墙的应用实操(禁止屏蔽海外国外IP访问)
基础知识请查阅:Linux系统firewalld防火墙的基本操作
进阶知识请查阅:Linux系统firewalld防火墙的进阶操作(日志保存 IP网段 ssh服务)
应用实操请查阅:Linux系统firewalld防火墙的应用实操(对外端口开放使用,对内端口限制ip地址使用,不使用端口默认关闭)
应用实操请查阅:Linux系统firewalld防火墙的应用实操(禁止屏蔽海外国外IP访问)
二、ipset知识点
ipset是ip地址的集合。
firewalld使用ipset可以在一条规则中处理多个ip地址,执行效果更好,管理更方便。
firewalld的ipset会记录到/etc/firewalld/ipsets/目录下
2.1 ipset的增删查
#新建一个ip集合,--type=hash:ip 指定类型为 hash:ip,不允许重复ip
firewall-cmd --permanent --new-ipset=china_ip --type=hash:ip
#删除一个ip集合
firewall-cmd --permanent --delete-ipset=china_ip
#查询所有ip集合
firewall-cmd --permanent --get-ipsets
2.2 ipset的ip地址修改
#ipset添加ip
firewall-cmd --permanent --ipset=china_ip --add-entry=121.122.123.105
#从文件中添加ip到ipset
firewall-cmd --permanent --ipset=china_ip --add-entries-from-file=china_ip_list.txt
#ipset删除ip
firewall-cmd --permanent --ipset=china_ip --remove-entry=121.122.123.105
#判断ip是否存在ipset中
firewall-cmd --permanent --ipset=china_ip --query-entry=121.122.123.105
firewall-cmd --reload
2.3 ipset的其他查询
more /etc/firewalld/ipsets/china_ip.xml
#打印ipset的路径
firewall-cmd --path-ipset=china_ip --permanent
#打印ipset的内容
firewall-cmd --info-ipset=china_ip --permanent
#打印ipset的所有entry
firewall-cmd --ipset=china_ip --get-entries --permanent
三、应用实操
禁止屏蔽海外国外IP访问有两种方法
允许所有IP,禁止国外IP
禁止所有IP,允许国内IP
相对而言,禁止所有IP,允许国内IP更容易些。
因为,相比收集国内IP集合会更加容易些。
3.1 下载国内ip网段
[root@iZ2ze30dygwd6yh7gu6lskZ home]# wget https://www.isres.com/china_ip_list.txt
--2022-08-15 11:46:01-- https://www.isres.com/china_ip_list.txt
Resolving www.isres.com (www.isres.com)... 45.136.15.104
Connecting to www.isres.com (www.isres.com)|45.136.15.104|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 95267 (93K) [text/plain]
Saving to: ‘china_ip_list.txt’
china_ip_list.txt 100%[==================================================================================================================>] 93.03K 419KB/s in 0.2s
2022-08-15 11:46:02 (419 KB/s) - ‘china_ip_list.txt’ saved [95267/95267]
3.2 新建ip集合
firewall-cmd --permanent --new-ipset=china_ip --type=hash:net
firewall-cmd --permanent --ipset=china_ip --add-entries-from-file=china_ip_list.txt
3.3 添加规则
firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source ipset="china_ip" port port=80 protocol=tcp accept'
firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source ipset="china_ip" port port=8080 protocol=tcp accept'
firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source ipset="china_ip" port port=443 protocol=tcp accept'
firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source ipset="china_ip" port port=8443 protocol=tcp accept'
firewall-cmd --reload
3.4 有点耐心
firewall处理大量IP的时候,会卡住,需要点耐心
ERROR:dbus.proxies:Introspect error on :1.32902:/org/fedoraproject/FirewallD1/config: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
如果遇到报错,那就升级下firewalld试试
[root@iZ2ze30dygwd6yh7gu6lskZ home]# firewall-cmd --reload
Error: COMMAND_FAILED: '/usr/sbin/nft insert rule inet firewalld raw_PREROUTING_ZONES iifname "eth0" goto raw_PRE_public' failed: Error: Could not process rule: No such file or directory
insert rule inet firewalld raw_PREROUTING_ZONES iifname "eth0" goto raw_PRE_public
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[root@iZ2ze30dygwd6yh7gu6lskZ home]# systemctl stop firewalld
[root@iZ2ze30dygwd6yh7gu6lskZ home]# yum install firewalls
CentOS-8 - AppStream 764 kB/s | 4.3 kB 00:00
CentOS-8 - Base 148 kB/s | 3.9 kB 00:00
CentOS-8 - Extras 55 kB/s | 1.5 kB 00:00
Extra Packages for Enterprise Linux 8 - x86_64 135 kB/s | 4.7 kB 00:00
No match for argument: firewalls
Error: Unable to find a match: firewalls
[root@iZ2ze30dygwd6yh7gu6lskZ home]# yum install firewalld
Last metadata expiration check: 0:00:04 ago on Wed 17 Aug 2022 12:23:38 AM CST.
Package firewalld-0.7.0-5.el8.noarch is already installed.
Dependencies resolved.
=============================================================================================================================================================================================================================================================================
Package Architecture Version Repository Size
=============================================================================================================================================================================================================================================================================
Upgrading:
firewalld noarch 0.9.3-7.el8 BaseOS 502 k
firewalld-filesystem noarch 0.9.3-7.el8 BaseOS 77 k
libnftnl x86_64 1.1.5-4.el8 BaseOS 83 k
nftables x86_64 1:0.9.3-21.el8 BaseOS 321 k
python3-firewall noarch 0.9.3-7.el8 BaseOS 432 k
Installing dependencies:
python3-nftables x86_64 1:0.9.3-21.el8 BaseOS 29 k
Transaction Summary
=============================================================================================================================================================================================================================================================================
Install 1 Package
Upgrade 5 Packages
Total download size: 1.4 M
Is this ok [y/N]: y
Downloading Packages:
(1/6): python3-nftables-0.9.3-21.el8.x86_64.rpm 334 kB/s | 29 kB 00:00
(2/6): firewalld-filesystem-0.9.3-7.el8.noarch.rpm 853 kB/s | 77 kB 00:00
(3/6): firewalld-0.9.3-7.el8.noarch.rpm 4.5 MB/s | 502 kB 00:00
(4/6): libnftnl-1.1.5-4.el8.x86_64.rpm 1.2 MB/s | 83 kB 00:00
(5/6): python3-firewall-0.9.3-7.el8.noarch.rpm 5.1 MB/s | 432 kB 00:00
(6/6): nftables-0.9.3-21.el8.x86_64.rpm 2.7 MB/s | 321 kB 00:00
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 6.8 MB/s | 1.4 MB 00:00
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Running scriptlet: libnftnl-1.1.5-4.el8.x86_64 1/1
Upgrading : libnftnl-1.1.5-4.el8.x86_64 1/11
Running scriptlet: libnftnl-1.1.5-4.el8.x86_64 1/11
Upgrading : nftables-1:0.9.3-21.el8.x86_64 2/11
Running scriptlet: nftables-1:0.9.3-21.el8.x86_64 2/11
Installing : python3-nftables-1:0.9.3-21.el8.x86_64 3/11
Upgrading : python3-firewall-0.9.3-7.el8.noarch 4/11
Upgrading : firewalld-filesystem-0.9.3-7.el8.noarch 5/11
Upgrading : firewalld-0.9.3-7.el8.noarch 6/11
warning: /etc/firewalld/firewalld.conf created as /etc/firewalld/firewalld.conf.rpmnew
Running scriptlet: firewalld-0.9.3-7.el8.noarch 6/11
Running scriptlet: firewalld-0.7.0-5.el8.noarch 7/11
Cleanup : firewalld-0.7.0-5.el8.noarch 7/11
Running scriptlet: firewalld-0.7.0-5.el8.noarch 7/11
Cleanup : firewalld-filesystem-0.7.0-5.el8.noarch 8/11
Cleanup : python3-firewall-0.7.0-5.el8.noarch 9/11
Running scriptlet: nftables-1:0.9.0-14.el8.x86_64 10/11
Cleanup : nftables-1:0.9.0-14.el8.x86_64 10/11
Running scriptlet: nftables-1:0.9.0-14.el8.x86_64 10/11
Cleanup : libnftnl-1.1.1-4.el8.x86_64 11/11
Running scriptlet: libnftnl-1.1.1-4.el8.x86_64 11/11
Verifying : python3-nftables-1:0.9.3-21.el8.x86_64 1/11
Verifying : firewalld-0.9.3-7.el8.noarch 2/11
Verifying : firewalld-0.7.0-5.el8.noarch 3/11
Verifying : firewalld-filesystem-0.9.3-7.el8.noarch 4/11
Verifying : firewalld-filesystem-0.7.0-5.el8.noarch 5/11
Verifying : libnftnl-1.1.5-4.el8.x86_64 6/11
Verifying : libnftnl-1.1.1-4.el8.x86_64 7/11
Verifying : nftables-1:0.9.3-21.el8.x86_64 8/11
Verifying : nftables-1:0.9.0-14.el8.x86_64 9/11
Verifying : python3-firewall-0.9.3-7.el8.noarch 10/11
Verifying : python3-firewall-0.7.0-5.el8.noarch 11/11
Upgraded:
firewalld-0.9.3-7.el8.noarch firewalld-filesystem-0.9.3-7.el8.noarch libnftnl-1.1.5-4.el8.x86_64 nftables-1:0.9.3-21.el8.x86_64 python3-firewall-0.9.3-7.el8.noarch
Installed:
python3-nftables-1:0.9.3-21.el8.x86_64
Complete!
四、测试验证
搞个国外的IP测试一下~