Linux系统firewalld防火墙的应用实操(禁止屏蔽海外国外IP访问)

阅读 117

2023-04-22



文章目录

  • 一、前文
  • 二、ipset知识点
  • 2.1 ipset的增删查
  • 2.2 ipset的ip地址修改
  • 2.3 ipset的其他查询
  • 三、应用实操
  • 3.1 下载国内ip网段
  • 3.2 新建ip集合
  • 3.3 添加规则
  • 3.4 有点耐心
  • 四、测试验证


一、前文

  • 本文直接进行Linux系统firewalld防火墙的应用实操(禁止屏蔽海外国外IP访问)
  • 基础知识请查阅:Linux系统firewalld防火墙的基本操作
  • 进阶知识请查阅:Linux系统firewalld防火墙的进阶操作(日志保存 IP网段 ssh服务)
  • 应用实操请查阅:Linux系统firewalld防火墙的应用实操(对外端口开放使用,对内端口限制ip地址使用,不使用端口默认关闭)
  • 应用实操请查阅:Linux系统firewalld防火墙的应用实操(禁止屏蔽海外国外IP访问)

二、ipset知识点

  • ipset是ip地址的集合。
  • firewalld使用ipset可以在一条规则中处理多个ip地址,执行效果更好,管理更方便。
  • firewalld的ipset会记录到/etc/firewalld/ipsets/目录下

2.1 ipset的增删查

#新建一个ip集合,--type=hash:ip    指定类型为 hash:ip,不允许重复ip
firewall-cmd --permanent --new-ipset=china_ip --type=hash:ip

#删除一个ip集合
firewall-cmd --permanent --delete-ipset=china_ip

#查询所有ip集合
firewall-cmd --permanent --get-ipsets

2.2 ipset的ip地址修改

#ipset添加ip
firewall-cmd --permanent --ipset=china_ip --add-entry=121.122.123.105

#从文件中添加ip到ipset
firewall-cmd --permanent --ipset=china_ip --add-entries-from-file=china_ip_list.txt

#ipset删除ip
firewall-cmd --permanent --ipset=china_ip --remove-entry=121.122.123.105

#判断ip是否存在ipset中
firewall-cmd --permanent --ipset=china_ip --query-entry=121.122.123.105

firewall-cmd --reload

2.3 ipset的其他查询

more /etc/firewalld/ipsets/china_ip.xml

#打印ipset的路径
firewall-cmd --path-ipset=china_ip --permanent

#打印ipset的内容
firewall-cmd --info-ipset=china_ip --permanent

#打印ipset的所有entry
firewall-cmd --ipset=china_ip --get-entries --permanent

三、应用实操

  • 禁止屏蔽海外国外IP访问有两种方法
  • 允许所有IP,禁止国外IP
  • 禁止所有IP,允许国内IP
  • 相对而言,禁止所有IP,允许国内IP更容易些。
  • 因为,相比收集国内IP集合会更加容易些。

3.1 下载国内ip网段

[root@iZ2ze30dygwd6yh7gu6lskZ home]# wget https://www.isres.com/china_ip_list.txt
--2022-08-15 11:46:01--  https://www.isres.com/china_ip_list.txt
Resolving www.isres.com (www.isres.com)... 45.136.15.104
Connecting to www.isres.com (www.isres.com)|45.136.15.104|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 95267 (93K) [text/plain]
Saving to: ‘china_ip_list.txt’

china_ip_list.txt                                   100%[==================================================================================================================>]  93.03K   419KB/s    in 0.2s    

2022-08-15 11:46:02 (419 KB/s) - ‘china_ip_list.txt’ saved [95267/95267]

3.2 新建ip集合

firewall-cmd --permanent --new-ipset=china_ip --type=hash:net

firewall-cmd --permanent --ipset=china_ip --add-entries-from-file=china_ip_list.txt

3.3 添加规则

firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source ipset="china_ip"  port port=80 protocol=tcp accept'
firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source ipset="china_ip"  port port=8080 protocol=tcp accept'
firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source ipset="china_ip"  port port=443 protocol=tcp accept'
firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source ipset="china_ip"  port port=8443 protocol=tcp accept'
firewall-cmd --reload

3.4 有点耐心

  • firewall处理大量IP的时候,会卡住,需要点耐心

ERROR:dbus.proxies:Introspect error on :1.32902:/org/fedoraproject/FirewallD1/config: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.

  • 如果遇到报错,那就升级下firewalld试试

[root@iZ2ze30dygwd6yh7gu6lskZ home]# firewall-cmd --reload
Error: COMMAND_FAILED: '/usr/sbin/nft insert rule inet firewalld raw_PREROUTING_ZONES iifname "eth0" goto raw_PRE_public' failed: Error: Could not process rule: No such file or directory
insert rule inet firewalld raw_PREROUTING_ZONES iifname "eth0" goto raw_PRE_public
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

[root@iZ2ze30dygwd6yh7gu6lskZ home]# systemctl stop firewalld
[root@iZ2ze30dygwd6yh7gu6lskZ home]# yum install firewalls
CentOS-8 - AppStream                                                                                                                                                                                                                         764 kB/s | 4.3 kB     00:00    
CentOS-8 - Base                                                                                                                                                                                                                              148 kB/s | 3.9 kB     00:00    
CentOS-8 - Extras                                                                                                                                                                                                                             55 kB/s | 1.5 kB     00:00    
Extra Packages for Enterprise Linux 8 - x86_64                                                                                                                                                                                               135 kB/s | 4.7 kB     00:00    
No match for argument: firewalls
Error: Unable to find a match: firewalls
[root@iZ2ze30dygwd6yh7gu6lskZ home]# yum install firewalld
Last metadata expiration check: 0:00:04 ago on Wed 17 Aug 2022 12:23:38 AM CST.
Package firewalld-0.7.0-5.el8.noarch is already installed.
Dependencies resolved.
=============================================================================================================================================================================================================================================================================
 Package                                                                   Architecture                                                Version                                                             Repository                                                   Size
=============================================================================================================================================================================================================================================================================
Upgrading:
 firewalld                                                                 noarch                                                      0.9.3-7.el8                                                         BaseOS                                                      502 k
 firewalld-filesystem                                                      noarch                                                      0.9.3-7.el8                                                         BaseOS                                                       77 k
 libnftnl                                                                  x86_64                                                      1.1.5-4.el8                                                         BaseOS                                                       83 k
 nftables                                                                  x86_64                                                      1:0.9.3-21.el8                                                      BaseOS                                                      321 k
 python3-firewall                                                          noarch                                                      0.9.3-7.el8                                                         BaseOS                                                      432 k
Installing dependencies:
 python3-nftables                                                          x86_64                                                      1:0.9.3-21.el8                                                      BaseOS                                                       29 k

Transaction Summary
=============================================================================================================================================================================================================================================================================
Install  1 Package
Upgrade  5 Packages

Total download size: 1.4 M
Is this ok [y/N]: y
Downloading Packages:
(1/6): python3-nftables-0.9.3-21.el8.x86_64.rpm                                                                                                                                                                                              334 kB/s |  29 kB     00:00    
(2/6): firewalld-filesystem-0.9.3-7.el8.noarch.rpm                                                                                                                                                                                           853 kB/s |  77 kB     00:00    
(3/6): firewalld-0.9.3-7.el8.noarch.rpm                                                                                                                                                                                                      4.5 MB/s | 502 kB     00:00    
(4/6): libnftnl-1.1.5-4.el8.x86_64.rpm                                                                                                                                                                                                       1.2 MB/s |  83 kB     00:00    
(5/6): python3-firewall-0.9.3-7.el8.noarch.rpm                                                                                                                                                                                               5.1 MB/s | 432 kB     00:00    
(6/6): nftables-0.9.3-21.el8.x86_64.rpm                                                                                                                                                                                                      2.7 MB/s | 321 kB     00:00    
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                                                                                                        6.8 MB/s | 1.4 MB     00:00     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                                                                                                                                     1/1 
  Running scriptlet: libnftnl-1.1.5-4.el8.x86_64                                                                                                                                                                                                                         1/1 
  Upgrading        : libnftnl-1.1.5-4.el8.x86_64                                                                                                                                                                                                                        1/11 
  Running scriptlet: libnftnl-1.1.5-4.el8.x86_64                                                                                                                                                                                                                        1/11 
  Upgrading        : nftables-1:0.9.3-21.el8.x86_64                                                                                                                                                                                                                     2/11 
  Running scriptlet: nftables-1:0.9.3-21.el8.x86_64                                                                                                                                                                                                                     2/11 
  Installing       : python3-nftables-1:0.9.3-21.el8.x86_64                                                                                                                                                                                                             3/11 
  Upgrading        : python3-firewall-0.9.3-7.el8.noarch                                                                                                                                                                                                                4/11 
  Upgrading        : firewalld-filesystem-0.9.3-7.el8.noarch                                                                                                                                                                                                            5/11 
  Upgrading        : firewalld-0.9.3-7.el8.noarch                                                                                                                                                                                                                       6/11 
warning: /etc/firewalld/firewalld.conf created as /etc/firewalld/firewalld.conf.rpmnew

  Running scriptlet: firewalld-0.9.3-7.el8.noarch                                                                                                                                                                                                                       6/11 
  Running scriptlet: firewalld-0.7.0-5.el8.noarch                                                                                                                                                                                                                       7/11 
  Cleanup          : firewalld-0.7.0-5.el8.noarch                                                                                                                                                                                                                       7/11 
  Running scriptlet: firewalld-0.7.0-5.el8.noarch                                                                                                                                                                                                                       7/11 
  Cleanup          : firewalld-filesystem-0.7.0-5.el8.noarch                                                                                                                                                                                                            8/11 
  Cleanup          : python3-firewall-0.7.0-5.el8.noarch                                                                                                                                                                                                                9/11 
  Running scriptlet: nftables-1:0.9.0-14.el8.x86_64                                                                                                                                                                                                                    10/11 
  Cleanup          : nftables-1:0.9.0-14.el8.x86_64                                                                                                                                                                                                                    10/11 
  Running scriptlet: nftables-1:0.9.0-14.el8.x86_64                                                                                                                                                                                                                    10/11 
  Cleanup          : libnftnl-1.1.1-4.el8.x86_64                                                                                                                                                                                                                       11/11 
  Running scriptlet: libnftnl-1.1.1-4.el8.x86_64                                                                                                                                                                                                                       11/11 
  Verifying        : python3-nftables-1:0.9.3-21.el8.x86_64                                                                                                                                                                                                             1/11 
  Verifying        : firewalld-0.9.3-7.el8.noarch                                                                                                                                                                                                                       2/11 
  Verifying        : firewalld-0.7.0-5.el8.noarch                                                                                                                                                                                                                       3/11 
  Verifying        : firewalld-filesystem-0.9.3-7.el8.noarch                                                                                                                                                                                                            4/11 
  Verifying        : firewalld-filesystem-0.7.0-5.el8.noarch                                                                                                                                                                                                            5/11 
  Verifying        : libnftnl-1.1.5-4.el8.x86_64                                                                                                                                                                                                                        6/11 
  Verifying        : libnftnl-1.1.1-4.el8.x86_64                                                                                                                                                                                                                        7/11 
  Verifying        : nftables-1:0.9.3-21.el8.x86_64                                                                                                                                                                                                                     8/11 
  Verifying        : nftables-1:0.9.0-14.el8.x86_64                                                                                                                                                                                                                     9/11 
  Verifying        : python3-firewall-0.9.3-7.el8.noarch                                                                                                                                                                                                               10/11 
  Verifying        : python3-firewall-0.7.0-5.el8.noarch                                                                                                                                                                                                               11/11 

Upgraded:
  firewalld-0.9.3-7.el8.noarch                     firewalld-filesystem-0.9.3-7.el8.noarch                     libnftnl-1.1.5-4.el8.x86_64                     nftables-1:0.9.3-21.el8.x86_64                     python3-firewall-0.9.3-7.el8.noarch                    

Installed:
  python3-nftables-1:0.9.3-21.el8.x86_64                                                                                                                                                                                                                                     

Complete!

四、测试验证

搞个国外的IP测试一下~


精彩评论(0)

0 0 举报