本帖最后由 KDE 于 2023-3-17 20:25 编辑
/etc/host.deny RHEL 8开始已经移除 tcp_wrappers不可用 以后 deb系也会移除的
还是用新版 nftables防火墙做入站白名单吧
# nfttables
nft flush ruleset
# 1
nft add table inet filter
nft add chain inet filter input { type filter hook input priority 0 \; policy drop \; }
nft add rule inet filter input iif "lo" accept
nft add rule inet filter input ct state { established, related } accept
#nft add rule inet filter input ct state invalid drop
nft add rule inet filter input icmpv6 type { nd-nei**or-advert, nd-nei**or-solicit, nd-redirect, nd-router-advert, nd-router-solicit } accept
nft add rule inet filter input icmp type echo-request limit rate 1 /second accept
nft add rule inet filter input icmpv6 type echo-request limit rate 1 /second accept
nft add rule inet filter input iif "eth0" tcp dport 22 ip saddr 10.1.1.0/24 accept
nft add rule inet filter input iif "eth0" tcp dport 22 ip6 saddr 240e:350::/29 accept
nft add rule inet filter input iif "eth0" tcp dport { 80, 443 } accept
nft add rule inet filter input iif "eth0" udp dport { 53, 68, 546 } accept
端口说明:
68 dhcp
546 dhcpv6 (禁止,无法获取ipv6地址)
补充:
这都关键词屏蔽,他们到底怕什么
|