ESXi 限制源地址 Ping 或者禁用 Ping？通过配置静态路由变通实现

ESXi 限制源地址 Ping 或者禁用 Ping？通过配置静态路由变通实现

ESXi 防火墙可以限制源地址访问特定服务，比如 SSH、vSphere Client等，但是无法定制 ICMP 规则，默认是允许，也无法禁用。但是可以通过路由的配置进行变通处理。

首先，ESXi vmkernel 端口不要配置默认网关（或者配置后删除），即管理地址默认网关留空，通过添加静态路由的方式变相实现仅允许特定源地址访问。详见配置vmkernel端口静态路由。

官方文档步骤：

1. To add a static route, run the command:

esxcli network ip route ipv4/ipv6 add --gateway IPv4_address_of_router --network IPv4_address

For example, to add a route to 192.168.100.0 network with a /24 bit subnet mask (255.255.255.0) through a router with an IP address of 192.168.0.1, run this command:

esxcli network ip route ipv4 add --gateway 192.168.0.1 --network 192.168.100.0/24

2. To list the route, run the command:

esxcli network ip route ipv4 list

3. To remove a static route, run the command:

esxcli network ip route ipv4 remove -n network_ip/mask -g gateway_ip

For example, to remove a route from 192.168.100.0 network with a /24 bit subnet mask (255.255.255.0) through a router with an IP address of 192.168.0.1, run this command:

esxcli network ip route ipv4 remove -n 192.168.100.0/24 -g 192.168.0.1

4. When finished, check the host’s current routing table with the esxcfg-route -l command. Any static routes display in the output.

实例：

#查看路由
esxcfg-route -l
#添加
esxcli network ip route ipv4 add --gateway 10.10.190.1 --network 10.10.177.0/24
esxcli network ip route ipv4 add --gateway 10.10.190.1 --network 10.10.179.0/24
esxcli network ip route ipv4 add --gateway 10.10.190.1 --network 10.10.180.0/24
esxcli network ip route ipv4 add --gateway 10.10.190.1 --network 10.10.190.0/24
esxcli network ip route ipv4 add --gateway 10.10.190.1 --network 10.10.191.0/24
#删除默认路由
esxcli network ip route ipv4 remove -n 0.0.0.0/0 -g 10.10.190.1
#恢复默认路由
esxcli network ip route ipv4 add --gateway 10.10.190.1 --network 0.0.0.0/0
#查看路由
esxcfg-route -l