Redhat

firewall-cmd 拒絕目標地址

  • August 27, 2015

我正在使用以下內容:

# cat /etc/redhat-release 
CentOS Linux release 7.1.1503 (Core) 
# rpm -q firewalld
firewalld-0.3.9-11.el7.noarch
#

我試圖阻止特定 IP 地址 (10.52.208.220) 從我的系統訪問它,但無法這樣做:

前:

# firewall-cmd --reload
success
# firewall-cmd --list-all
public (default, active)
 interfaces: eno1
 sources: 
 services: dhcpv6-client high-availability http https ssh
 ports: 5666/tcp 3306/tcp 5900/tcp 9001/tcp
 masquerade: no
 forward-ports: 
 icmp-blocks: 
 rich rules: 

# ping -c1 wcmisdlin01
PING wcmisdlin01.uftmasterad.org (10.52.208.220) 56(84) bytes of data.
64 bytes from wcmisdlin01.uftmasterad.org (10.52.208.220): icmp_seq=1 ttl=64 time=0.379 ms

--- wcmisdlin01.uftmasterad.org ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.379/0.379/0.379/0.000 ms
#

後:

# firewall-cmd --add-rich-rule='rule family="ipv4" destination address="10.52.208.220" protocol value="icmp" reject'
success
# firewall-cmd --list-all
public (default, active)
 interfaces: eno1
 sources: 
 services: dhcpv6-client high-availability http https ssh
 ports: 5666/tcp 3306/tcp 5900/tcp 9001/tcp
 masquerade: no
 forward-ports: 
 icmp-blocks: 
 rich rules: 
   rule family="ipv4" destination address="10.52.208.220" protocol value="icmp" reject

# ping -c1 wcmisdlin01
PING wcmisdlin01.uftmasterad.org (10.52.208.220) 56(84) bytes of data.
64 bytes from wcmisdlin01.uftmasterad.org (10.52.208.220): icmp_seq=1 ttl=64 time=0.266 ms

--- wcmisdlin01.uftmasterad.org ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.266/0.266/0.266/0.000 ms
# 

IPTABLES(8) - iptables/ip6tables — administration tool for IPv4/IPv6 packet filtering and NAT

# iptables --list IN_public_deny
Chain IN_public_deny (1 references)
target     prot opt source               destination         
REJECT     icmp --  anywhere             wcmisdlin01.uftmasterad.org  ctstate NEW reject-with icmp-port-unreachable
# 

我究竟做錯了什麼?

在檢查完整iptables -n --list輸出時,IN_public_deny(最終)從INPUT鏈中呼叫,這與從系統發送到未拒絕主機的數據包無關;相反,這些數據包通過OUTPUT鏈路由(或者FORWARD如果防火牆是源和目標之間的路由器或橋接器,則可能)。firewalld.richlanguage(5)似乎沒有提供任何方法來指定規則必須進入OUTPUT(或FORWARD)鏈,因此直接規則的“最後手段”選項似乎是一種解決方案。

firewall-cmd --direct --add-rule ipv4 filter OUTPUT_direct 0 -p icmp -d 10.52.208.220 -j REJECT --reject-with icmp-host-prohibited

(雖然通常我更喜歡 DROP(並且可能是帶有速率限制的 LOG)而不是發送 ICMP 拒絕,就好像要被阻止的主機要瘋了一樣,將 ICMP 響應數據包扔回負載網路可以讓事情順利進行從壞到壞…)

引用自:https://serverfault.com/questions/717266