需求:屏蔽海外国外IP访问
wget https://www.isres.com/china_ip_list.txt
确定防火墙状态开启
systemctl status firewalld
防火墙开启命令
systemctl start firewalld
确定防火墙状态开启
systemctl status firewalld
解决途径:
firewall-cmd --permanent --new-ipset=china_ip --type=hash:net
将刚刚下载china_ip_list.txt生成ipset
firewall-cmd --permanent --ipset=china_ip --add-entries-from-file=china_ip_list.txt
添加需要保留的规则(可选部分)
firewall-cmd --permanent --add-rich-rule ‘rule family=“ipv4” source ipset=“china_ip” port port=80 protocol=tcp accept’
firewall-cmd --permanent --add-rich-rule ‘rule family=“ipv4” source ipset=“china_ip” port port=8080 protocol=tcp accept’
firewall-cmd --permanent --add-rich-rule ‘rule family=“ipv4” source ipset=“china_ip” port port=443 protocol=tcp accept’
firewall-cmd --permanent --add-rich-rule ‘rule family=“ipv4” source ipset=“china_ip” port port=8443 protocol=tcp accept’
firewall-cmd --permanent --add-rich-rule ‘rule family=“ipv4” source ipset=“china_ip” port port=22 protocol=tcp accept’
firewall-cmd --remove-service=ssh --permanent
firewall-cmd --permanent --add-rich-rule ‘rule family=“ipv4” source ipset=“china_ip” port port=7000 protocol=tcp accept’
firewall-cmd --permanent --add-rich-rule ‘rule family=“ipv4” source ipset=“china_ip” port port=6000-6020 protocol=tcp accept’
firewall-cmd --reload
在这里插入图片描述
查看防火墙状态及过滤规则
firewall-cmd --list-all
到这就完成了,之后是我把自己的ports端口开放的关掉:
firewall-cmd --zone=public --remove-port=80/tcp --permanent
firewall-cmd --zone=public --remove-port=8080/tcp --permanent
firewall-cmd --zone=public --remove-port=6000-6021/tcp --permanent
firewall-cmd --reload
ps:下图是一些未知用户ip
设置完后就只有中国ip访问得了了
外网访问:
当关闭防火墙: 外网流量又进来了,证明设置隔绝外围IP访问成功
出现了新问题:防火墙关了重启不了。。。。。
解决办法:先终止启动失败的防火墙程序
pkill -f firewalld
firewall-cmd --state
systemctl start firewalld
firewall-cmd --state
感谢:
Linux系统firewalld防火墙的应用实操(禁止屏蔽海外国外IP访问)http://t.csdn.cn/hd0Sq
firewalld.service: Start operation timed out. Terminating http://t.csdn.cn/oGl8Q
番外:
屏蔽完后出现了一批国内ip恶意访问
2022/12/23 10:38:43 [I] [proxy.go:162] [1301b7b684f870c3] [3090] get a user connection [43.153.67.124:38036]
2022/12/23 10:39:08 [I] [proxy.go:162] [1301b7b684f870c3] [3090] get a user connection [118.212.146.42:49164]
2022/12/23 10:39:42 [I] [proxy.go:162] [1301b7b684f870c3] [3090] get a user connection [118.212.146.42:56496]
2022/12/23 10:40:14 [I] [proxy.go:162] [1301b7b684f870c3] [3090] get a user connection [118.212.146.42:35596]
2022/12/23 10:40:30 [I] [proxy.go:162] [1301b7b684f870c3] [3090] get a user connection [43.153.67.124:39092]
2022/12/23 10:40:54 [I] [proxy.go:162] [1301b7b684f870c3] [3090] get a user connection [118.212.146.42:42928]
2022/12/23 10:41:29 [I] [proxy.go:162] [1301b7b684f870c3] [3090] get a user connection [118.212.146.42:50260]
2022/12/23 10:42:01 [I] [proxy.go:162] [1301b7b684f870c3] [3090] get a user connection [118.212.146.42:57592]
2022/12/23 10:42:12 [I] [proxy.go:162] [1301b7b684f870c3] [3090] get a user connection [43.153.67.124:60158]
2022/12/23 10:42:36 [I] [proxy.go:162] [1301b7b684f870c3] [3090] get a user connection [118.212.146.42:36692]
2022/12/23 11:14:57 [I] [proxy.go:162] [1301b7b684f870c3] [3090] get a user connection [124.160.90.29:9225]
2022/12/23 11:15:18 [I] [proxy.go:162] [1301b7b684f870c3] [3090] get a user connection [124.160.90.29:17673]
2022/12/23 11:15:37 [I] [proxy.go:162] [1301b7b684f870c3] [3090] get a user connection [124.160.90.29:20182]
2022/12/23 11:15:56 [I] [proxy.go:162] [1301b7b684f870c3] [3090] get a user connection [124.160.90.29:2162]
来源地址:https://blog.csdn.net/weixin_45673197/article/details/128414283
