/ufw
sudo ufw deny from 192.16.25.20 to any
ufw deny from 192.16.25.20 to any port 22
ufw delete deny from 192.16.25.20
ufw insert 1 deny from 192.16.25.20
ufw insert 1 deny from 10.20.0.1 port 23 to 10.20.0.130 port 24
//[ 1] 10.20.0.130 24 DENY IN 10.20.0.1 23
ufw insert 1 allow from 10.20.0.1/tcp port 23 to 10.20.0.130 port 24/tcp
指定某网段访问该服务器的某个端口:
//allow
ufw allow out proto tcp from 10.12.238.0/24 to 10.12.248.162 port 22519
// 10.12.248.162 22519/tcp ALLOW OUT 10.12.238.0/24 (out)
ufw delete allow out proto tcp from 10.12.238.0/24 to 10.12.248.162 port 22519
//
ufw allow in proto tcp from 10.12.238.0/24 to 10.12.248.162 port 22519
//[14] 10.12.248.162 22519/tcp ALLOW IN 10.12.238.0/24
ufw delete allow in proto tcp from 10.12.238.0/24 to 10.12.248.162 port 22519
/deny
ufw deny out proto tcp from 10.12.238.0/24 to 10.12.248.162 port 22519
ufw delete deny out proto tcp from 10.12.238.0/24 to 10.12.248.162 port 22519
//
ufw deny in proto tcp from 10.12.238.0/24 to 10.12.248.162 port 22519
//[ 8] 10.12.248.162 22519/tcp DENY IN 10.12.238.0/24
ufw delete deny in proto tcp from 10.12.238.0/24 to 10.12.248.162 port 22519
///
ufw deny out proto tcp from 10.12.238.24 port 22519 to 10.12.248.162 port 22519
//[ 8] 10.12.248.162 22519/tcp DENY OUT 10.12.238.24 22519/tcp (out)
ufw delete deny out proto tcp from 10.12.238.24 port 22519 to 10.12.248.162 port 22519
取消某网段对该服务器某个端口的访问:
ufw delete allow proto tcp from 10.12.238.0/24 to 10.12.248.162 port 22519
ufw deny in proto tcp from 10.12.238.0/24 to 10.12.248.162 port 22519
//查看规则
ufw status
ufw status numbered
ufw delete 1 //根据编号删除
ufw reload
ufw --force reset //防火墙重置
就是先deny,后allow,deny规则插入到allow规则前面,这样才能起到禁止的作用。
一旦启用UFW之后,如果没有允许SSH连接,将无法再通过SSH远程访问主机,所以在开启防火墙之前要确认SSH连接已经设置为允许:
$ sudo ufw allow ssh
ufw delete allow 22
firewald
添加规则
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.250.202" drop"
firewall-cmd --reload
删掉规则
firewall-cmd --permanent --zone=public --remove-rich-rule="rule family="ipv4" source address=192.168.250.202 drop"
firewall-cmd --reload