目录
3、禁止某个主机地址(如192.168.5.129)ssh远程登录该服务器,允许该主机访问服务器的web服务。服务器地址为192.168.5.128
1、禁止某个ip地址(如192.168.5.129)进行ssh访问
2、配置端口转发(在192.168.5.0网段的主机访问该服务器的5423端口将被转发到80端口)
3、将本机80端口转发到192.168.5.129的8080端口上
iptables
1、搭建web服务,设置任何人能够通过80端口访问。
#开启iptables服务
[root@server ~]# systemctl start iptables.service
#在INPUT链头部插入一条允许协议为tcp,目标端口为80的数据包通过的规则
[root@server ~]# iptables -I INPUT -p tcp --dport 80 -j ACCEPT
#查看
[root@server ~]# iptables -L --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT tcp -- anywhere anywhere tcp dpt:http #添加成功
2 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
3 ACCEPT icmp -- anywhere anywhere
4 ACCEPT all -- anywhere anywhere
5 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
6 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
2、禁止所有人ssh远程登录该服务器
#在INPUT链表头部插入规则:拒绝tcp协议的目标端口为22的数据包通过
[root@server ~]# iptables -I INPUT -p tcp --dport 22 -j REJECT
设置完成后ssh会断开与server主机的连接,下面只能在虚拟机上进一步操作
#在虚拟机上查看
[root@server ~]# iptables -L --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 REJECT tcp -- anywhere anywhere tcp dpt:ssh reject-with icmp-port-unreachable
2 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
3 ACCEPT icmp -- anywhere anywhere
4 ACCEPT all -- anywhere anywhere
5 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
6 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
#删除1规则,恢复
[root@server ~]# iptables -D INPUT 1
ssh又可以重新连接server
3、禁止某个主机地址(如192.168.5.129)ssh远程登录该服务器,允许该主机访问服务器的web服务。服务器地址为192.168.5.128
拒绝172.24.8.129通过ssh远程连接服务器:
[root@localhost ~]# iptables -I INPUT -p tcp -s 192.168.5.129 --dport 22 -j REJECT
允许172.24.8.129访问服务器的web服务:
[root@localhost ~]# iptables -I INPUT -p tcp -s 192.168.5.129 --dport 80 -j ACCEPT
firewalld
1、禁止某个ip地址(如192.168.5.129)进行ssh访问
#开启firewall服务,注意开启前要关闭iptables服务
[root@server ~]# systemctl stop iptables.service
[root@server ~]# systemctl start firewalld
[root@server ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vend>
Active: active (running) since Mon 2022-08-01 22:23:57 CST; 14s ago
#添加富规则
[root@server ~]# firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.5.129" service name="ssh" reject' --permanent
success
#重新加载以生效
[root@server ~]# firewall-cmd --reload
success
#192.168.5.129客户端尝试连接服务器,服务器拒绝
[root@client ~]# ssh root@192.168.5.128
ssh: connect to host 192.168.5.128 port 22: Connection refused
#删除富规则
[root@server ~]# firewall-cmd --remove-rich-rule='rule family="ipv4" source address="192.168.5.129" service name="ssh" reject'
success
#192.168.5.129客户端再次连接服务器,成功连接
[root@client ~]# ssh root@192.168.5.128
Activate the web console with: systemctl enable --now cockpit.socket
This system is not registered to Red Hat Insights. See https://cloud.redhat.com/
To register this system, run: insights-client --register
Last login: Mon Aug 1 22:17:26 2022 from 192.168.5.1
[root@server ~]#
2、配置端口转发(在192.168.5.0网段的主机访问该服务器的5423端口将被转发到80端口)
[root@server ~]# firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.5.0/24" forward-port port="5423" protocol="tcp" to-port="80"'
success
3、将本机80端口转发到192.168.5.129的8080端口上
[root@server ~]# firewall-cmd --add-forward-port=port=80:proto=tcp:toport=8080:toaddr=192.168.5.129 --permanent
success