需求：屏蔽海外国外IP访问

wget /china_ip_list.txt

确定防火墙状态开启

systemctl status firewalld

防火墙开启命令

systemctl start firewalld

确定防火墙状态开启

systemctl status firewalld

解决途径：

firewall-cmd --permanent --new-ipset=china_ip --type=hash:net

将刚刚下载china_ip_list.txt生成ipset

firewall-cmd --permanent --ipset=china_ip --add-entries-from-file=china_ip_list.txt

添加需要保留的规则（可选部分）

firewall-cmd --permanent --add-rich-rule ‘rule family=“ipv4” source ipset=“china_ip” port port=80 protocol=tcp accept’

firewall-cmd --permanent --add-rich-rule ‘rule family=“ipv4” source ipset=“china_ip” port port=8080 protocol=tcp accept’

firewall-cmd --permanent --add-rich-rule ‘rule family=“ipv4” source ipset=“china_ip” port port=443 protocol=tcp accept’

firewall-cmd --permanent --add-rich-rule ‘rule family=“ipv4” source ipset=“china_ip” port port=8443 protocol=tcp accept’

firewall-cmd --permanent --add-rich-rule ‘rule family=“ipv4” source ipset=“china_ip” port port=22 protocol=tcp accept’

firewall-cmd --remove-service=ssh --permanent

firewall-cmd --permanent --add-rich-rule ‘rule family=“ipv4” source ipset=“china_ip” port port=7000 protocol=tcp accept’

firewall-cmd --permanent --add-rich-rule ‘rule family=“ipv4” source ipset=“china_ip” port port=6000-6020 protocol=tcp accept’

firewall-cmd --reload

在这里插入图片描述

查看防火墙状态及过滤规则

firewall-cmd --list-all

到这就完成了，之后是我把自己的ports端口开放的关掉：

firewall-cmd --zone=public --remove-port=80/tcp --permanent

firewall-cmd --zone=public --remove-port=8080/tcp --permanent

firewall-cmd --zone=public --remove-port=6000-6021/tcp --permanent

firewall-cmd --reload

ps：下图是一些未知用户ip

设置完后就只有中国ip访问得了了

外网访问：

当关闭防火墙: 外网流量又进来了，证明设置隔绝外围IP访问成功

出现了新问题：防火墙关了重启不了。。。。。

解决办法：先终止启动失败的防火墙程序

pkill -f firewalld

firewall-cmd --state

systemctl start firewalld

firewall-cmd --state

感谢：

Linux系统firewalld防火墙的应用实操（禁止屏蔽海外国外IP访问）/hd0Sq

firewalld.service: Start operation timed out. Terminating /oGl8Q

番外：

屏蔽完后出现了一批国内ip恶意访问

/12/23 10:38:43 [I] [proxy.go:162] [1301b7b684f870c3] [3090] get a user connection [43.153.67.124:38036]

/12/23 10:39:08 [I] [proxy.go:162] [1301b7b684f870c3] [3090] get a user connection [118.212.146.42:49164]

/12/23 10:39:42 [I] [proxy.go:162] [1301b7b684f870c3] [3090] get a user connection [118.212.146.42:56496]

/12/23 10:40:14 [I] [proxy.go:162] [1301b7b684f870c3] [3090] get a user connection [118.212.146.42:35596]

/12/23 10:40:30 [I] [proxy.go:162] [1301b7b684f870c3] [3090] get a user connection [43.153.67.124:39092]

/12/23 10:40:54 [I] [proxy.go:162] [1301b7b684f870c3] [3090] get a user connection [118.212.146.42:42928]

/12/23 10:41:29 [I] [proxy.go:162] [1301b7b684f870c3] [3090] get a user connection [118.212.146.42:50260]

/12/23 10:42:01 [I] [proxy.go:162] [1301b7b684f870c3] [3090] get a user connection [118.212.146.42:57592]

/12/23 10:42:12 [I] [proxy.go:162] [1301b7b684f870c3] [3090] get a user connection [43.153.67.124:60158]

/12/23 10:42:36 [I] [proxy.go:162] [1301b7b684f870c3] [3090] get a user connection [118.212.146.42:36692]

/12/23 11:14:57 [I] [proxy.go:162] [1301b7b684f870c3] [3090] get a user connection [124.160.90.29:9225]

/12/23 11:15:18 [I] [proxy.go:162] [1301b7b684f870c3] [3090] get a user connection [124.160.90.29:17673]

/12/23 11:15:37 [I] [proxy.go:162] [1301b7b684f870c3] [3090] get a user connection [124.160.90.29:2]

/12/23 11:15:56 [I] [proxy.go:162] [1301b7b684f870c3] [3090] get a user connection [124.160.90.29:2162]

linux 配置防火墙 firewalld 屏蔽海外国外IP访问(服务器受到外网未知用户攻击 通过设置防火墙隔绝） 仅允许中国国内ip访问自己在公网上的服务器

如果觉得《linux 配置防火墙 firewalld 屏蔽海外国外IP访问(服务器受到外网未知用户攻击 通》对你有帮助，请点赞、收藏，并留下你的观点哦！