文章目录

一、前文二、ipset知识点2.1 ipset的增删查2.2 ipset的ip地址修改2.3 ipset的其他查询三、应用实操3.1 下载国内ip网段3.2 新建ip集合3.3 添加规则3.4 有点耐心四、测试验证

一、前文

本文直接进行Linux系统firewalld防火墙的应用实操（禁止屏蔽海外国外IP访问）

基础知识请查阅：Linux系统firewalld防火墙的基本操作

进阶知识请查阅：Linux系统firewalld防火墙的进阶操作（日志保存 IP网段 ssh服务）

应用实操请查阅：Linux系统firewalld防火墙的应用实操（对外端口开放使用，对内端口限制ip地址使用，不使用端口默认关闭）

应用实操请查阅：Linux系统firewalld防火墙的应用实操（禁止屏蔽海外国外IP访问）

二、ipset知识点

ipset是ip地址的集合。firewalld使用ipset可以在一条规则中处理多个ip地址，执行效果更好，管理更方便。firewalld的ipset会记录到/etc/firewalld/ipsets/目录下

2.1 ipset的增删查

#新建一个ip集合，--type=hash:ip 指定类型为 hash:ip,不允许重复ipfirewall-cmd --permanent --new-ipset=china_ip --type=hash:ip#删除一个ip集合firewall-cmd --permanent --delete-ipset=china_ip#查询所有ip集合firewall-cmd --permanent --get-ipsets

2.2 ipset的ip地址修改

#ipset添加ipfirewall-cmd --permanent --ipset=china_ip --add-entry=121.122.123.105#从文件中添加ip到ipsetfirewall-cmd --permanent --ipset=china_ip --add-entries-from-file=china_ip_list.txt#ipset删除ipfirewall-cmd --permanent --ipset=china_ip --remove-entry=121.122.123.105#判断ip是否存在ipset中firewall-cmd --permanent --ipset=china_ip --query-entry=121.122.123.105firewall-cmd --reload

2.3 ipset的其他查询

more /etc/firewalld/ipsets/china_ip.xml#打印ipset的路径firewall-cmd --path-ipset=china_ip --permanent#打印ipset的内容firewall-cmd --info-ipset=china_ip --permanent#打印ipset的所有entryfirewall-cmd --ipset=china_ip --get-entries --permanent

三、应用实操

禁止屏蔽海外国外IP访问有两种方法 允许所有IP，禁止国外IP禁止所有IP，允许国内IP 相对而言，禁止所有IP，允许国内IP更容易些。因为，相比收集国内IP集合会更加容易些。

3.1 下载国内ip网段

[root@iZ2ze30dygwd6yh7gu6lskZ home]# wget /china_ip_list.txt---08-15 11:46:01-- /china_ip_list.txtResolving ()... 45.136.15.104Connecting to ()|45.136.15.104|:443... connected.HTTP request sent, awaiting response... 200 OKLength: 95267 (93K) [text/plain]Saving to: ‘china_ip_list.txt’china_ip_list.txt100%[==================================================================================================================>] 93.03K 419KB/s in 0.2s -08-15 11:46:02 (419 KB/s) - ‘china_ip_list.txt’ saved [95267/95267]

3.2 新建ip集合

firewall-cmd --permanent --new-ipset=china_ip --type=hash:netfirewall-cmd --permanent --ipset=china_ip --add-entries-from-file=china_ip_list.txt

3.3 添加规则

firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source ipset="china_ip" port port=80 protocol=tcp accept'firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source ipset="china_ip" port port=8080 protocol=tcp accept'firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source ipset="china_ip" port port=443 protocol=tcp accept'firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source ipset="china_ip" port port=8443 protocol=tcp accept'firewall-cmd --reload

3.4 有点耐心

firewall处理大量IP的时候，会卡住，需要点耐心

ERROR:dbus.proxies:Introspect error on :1.32902:/org/fedoraproject/FirewallD1/config: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.

如果遇到报错，那就升级下firewalld试试

[root@iZ2ze30dygwd6yh7gu6lskZ home]# firewall-cmd --reloadError: COMMAND_FAILED: '/usr/sbin/nft insert rule inet firewalld raw_PREROUTING_ZONES iifname "eth0" goto raw_PRE_public' failed: Error: Could not process rule: No such file or directoryinsert rule inet firewalld raw_PREROUTING_ZONES iifname "eth0" goto raw_PRE_public^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

[root@iZ2ze30dygwd6yh7gu6lskZ home]# systemctl stop firewalld[root@iZ2ze30dygwd6yh7gu6lskZ home]# yum install firewallsCentOS-8 - AppStream 764 kB/s | 4.3 kB00:00 CentOS-8 - Base 148 kB/s | 3.9 kB00:00 CentOS-8 - Extras 55 kB/s | 1.5 kB00:00 Extra Packages for Enterprise Linux 8 - x86_64 135 kB/s | 4.7 kB00:00 No match for argument: firewallsError: Unable to find a match: firewalls[root@iZ2ze30dygwd6yh7gu6lskZ home]# yum install firewalldLast metadata expiration check: 0:00:04 ago on Wed 17 Aug 12:23:38 AM CST.Package firewalld-0.7.0-5.el8.noarch is already installed.Dependencies resolved.=============================================================================================================================================================================================================================================================================Package Architecture Version Repository Size=============================================================================================================================================================================================================================================================================Upgrading:firewalldnoarch 0.9.3-7.el8 BaseOS 502 kfirewalld-filesystem noarch 0.9.3-7.el8 BaseOS77 klibnftnlx86_64 1.1.5-4.el8 BaseOS83 knftablesx86_64 1:0.9.3-21.el8 BaseOS 321 kpython3-firewall noarch 0.9.3-7.el8 BaseOS 432 kInstalling dependencies:python3-nftables x86_64 1:0.9.3-21.el8 BaseOS29 kTransaction Summary=============================================================================================================================================================================================================================================================================Install 1 PackageUpgrade 5 PackagesTotal download size: 1.4 MIs this ok [y/N]: yDownloading Packages:(1/6): python3-nftables-0.9.3-21.el8.x86_64.rpm334 kB/s | 29 kB00:00 (2/6): firewalld-filesystem-0.9.3-7.el8.noarch.rpm 853 kB/s | 77 kB00:00 (3/6): firewalld-0.9.3-7.el8.noarch.rpm 4.5 MB/s | 502 kB00:00 (4/6): libnftnl-1.1.5-4.el8.x86_64.rpm 1.2 MB/s | 83 kB00:00 (5/6): python3-firewall-0.9.3-7.el8.noarch.rpm 5.1 MB/s | 432 kB00:00 (6/6): nftables-0.9.3-21.el8.x86_64.rpm 2.7 MB/s | 321 kB00:00 -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Total 6.8 MB/s | 1.4 MB00:00Running transaction checkTransaction check succeeded.Running transaction testTransaction test succeeded.Running transactionPreparing :1/1 Running scriptlet: libnftnl-1.1.5-4.el8.x86_64 1/1 Upgrading : libnftnl-1.1.5-4.el8.x86_641/11 Running scriptlet: libnftnl-1.1.5-4.el8.x86_641/11 Upgrading : nftables-1:0.9.3-21.el8.x86_64 2/11 Running scriptlet: nftables-1:0.9.3-21.el8.x86_64 2/11 Installing : python3-nftables-1:0.9.3-21.el8.x86_643/11 Upgrading : python3-firewall-0.9.3-7.el8.noarch 4/11 Upgrading : firewalld-filesystem-0.9.3-7.el8.noarch 5/11 Upgrading : firewalld-0.9.3-7.el8.noarch6/11 warning: /etc/firewalld/firewalld.conf created as /etc/firewalld/firewalld.conf.rpmnewRunning scriptlet: firewalld-0.9.3-7.el8.noarch6/11 Running scriptlet: firewalld-0.7.0-5.el8.noarch7/11 Cleanup: firewalld-0.7.0-5.el8.noarch7/11 Running scriptlet: firewalld-0.7.0-5.el8.noarch7/11 Cleanup: firewalld-filesystem-0.7.0-5.el8.noarch 8/11 Cleanup: python3-firewall-0.7.0-5.el8.noarch 9/11 Running scriptlet: nftables-1:0.9.0-14.el8.x86_64 10/11 Cleanup: nftables-1:0.9.0-14.el8.x86_64 10/11 Running scriptlet: nftables-1:0.9.0-14.el8.x86_64 10/11 Cleanup: libnftnl-1.1.1-4.el8.x86_6411/11 Running scriptlet: libnftnl-1.1.1-4.el8.x86_6411/11 Verifying : python3-nftables-1:0.9.3-21.el8.x86_641/11 Verifying : firewalld-0.9.3-7.el8.noarch2/11 Verifying : firewalld-0.7.0-5.el8.noarch3/11 Verifying : firewalld-filesystem-0.9.3-7.el8.noarch 4/11 Verifying : firewalld-filesystem-0.7.0-5.el8.noarch 5/11 Verifying : libnftnl-1.1.5-4.el8.x86_646/11 Verifying : libnftnl-1.1.1-4.el8.x86_647/11 Verifying : nftables-1:0.9.3-21.el8.x86_64 8/11 Verifying : nftables-1:0.9.0-14.el8.x86_64 9/11 Verifying : python3-firewall-0.9.3-7.el8.noarch 10/11 Verifying : python3-firewall-0.7.0-5.el8.noarch 11/11 Upgraded:firewalld-0.9.3-7.el8.noarch firewalld-filesystem-0.9.3-7.el8.noarch libnftnl-1.1.5-4.el8.x86_64 nftables-1:0.9.3-21.el8.x86_64 python3-firewall-0.9.3-7.el8.noarchInstalled:python3-nftables-1:0.9.3-21.el8.x86_64 Complete!

四、测试验证

搞个国外的IP测试一下~

如果觉得《Linux系统firewalld防火墙的应用实操（禁止屏蔽海外国外IP访问）》对你有帮助，请点赞、收藏，并留下你的观点哦！