linux 配置防火墙 firewalld 屏蔽海外国外IP访问(服务器受到外网未知用户攻击，通过设置防火墙隔绝） 仅允许中国国内ip访问自己在公网上的服务器

需求：屏蔽海外国外IP访问
wget https://www.isres.com/china_ip_list.txt

确定防火墙状态开启

systemctl status firewalld

防火墙开启命令

systemctl start firewalld

确定防火墙状态开启

systemctl status firewalld
解决途径：
firewall-cmd --permanent --new-ipset=china_ip --type=hash:net

将刚刚下载china_ip_list.txt生成ipset

firewall-cmd --permanent --ipset=china_ip --add-entries-from-file=china_ip_list.txt

添加需要保留的规则（可选部分）
firewall-cmd --permanent --add-rich-rule ‘rule family=“ipv4” source ipset=“china_ip” port port=80 protocol=tcp accept’
firewall-cmd --permanent --add-rich-rule ‘rule family=“ipv4” source ipset=“china_ip” port port=8080 protocol=tcp accept’
firewall-cmd --permanent --add-rich-rule ‘rule family=“ipv4” source ipset=“china_ip” port port=443 protocol=tcp accept’
firewall-cmd --permanent --add-rich-rule ‘rule family=“ipv4” source ipset=“china_ip” port port=8443 protocol=tcp accept’
firewall-cmd --permanent --add-rich-rule ‘rule family=“ipv4” source ipset=“china_ip” port port=22 protocol=tcp accept’
firewall-cmd --remove-service=ssh --permanent
firewall-cmd --permanent --add-rich-rule ‘rule family=“ipv4” source ipset=“china_ip” port port=7000 protocol=tcp accept’
firewall-cmd --permanent --add-rich-rule ‘rule family=“ipv4” source ipset=“china_ip” port port=6000-6020 protocol=tcp accept’
firewall-cmd --reload
在这里插入图片描述

查看防火墙状态及过滤规则
firewall-cmd --list-all

到这就完成了，之后是我把自己的ports端口开放的关掉：
firewall-cmd --zone=public --remove-port=80/tcp --permanent
firewall-cmd --zone=public --remove-port=8080/tcp --permanent
firewall-cmd --zone=public --remove-port=6000-6021/tcp --permanent
firewall-cmd --reload

ps：下图是一些未知用户ip

设置完后就只有中国ip访问得了了

外网访问：

当关闭防火墙: 外网流量又进来了，证明设置隔绝外围IP访问成功

出现了新问题：防火墙关了重启不了。。。。。

解决办法：先终止启动失败的防火墙程序
pkill -f firewalld
firewall-cmd --state
systemctl start firewalld
firewall-cmd --state

感谢：
linux系统firewalld防火墙的应用实操（禁止屏蔽海外国外IP访问）Http://t.csdn.cn/hd0Sq
firewalld.service: Start operation timed out. Terminating http://t.csdn.cn/oGl8Q

番外：
屏蔽完后出现了一批国内ip恶意访问

2022/12/23 10:38:43 [I] [proxy.Go:162] [1301b7b684f870c3] [3090] get a user connection [43.153.67.124:38036]
2022/12/23 10:39:08 [I] [proxy.go:162] [1301b7b684f870c3] [3090] get a user connection [118.212.146.42:49164]
2022/12/23 10:39:42 [I] [proxy.go:162] [1301b7b684f870c3] [3090] get a user connection [118.212.146.42:56496]
2022/12/23 10:40:14 [I] [proxy.go:162] [1301b7b684f870c3] [3090] get a user connection [118.212.146.42:35596]
2022/12/23 10:40:30 [I] [proxy.go:162] [1301b7b684f870c3] [3090] get a user connection [43.153.67.124:39092]
2022/12/23 10:40:54 [I] [proxy.go:162] [1301b7b684f870c3] [3090] get a user connection [118.212.146.42:42928]
2022/12/23 10:41:29 [I] [proxy.go:162] [1301b7b684f870c3] [3090] get a user connection [118.212.146.42:50260]
2022/12/23 10:42:01 [I] [proxy.go:162] [1301b7b684f870c3] [3090] get a user connection [118.212.146.42:57592]
2022/12/23 10:42:12 [I] [proxy.go:162] [1301b7b684f870c3] [3090] get a user connection [43.153.67.124:60158]
2022/12/23 10:42:36 [I] [proxy.go:162] [1301b7b684f870c3] [3090] get a user connection [118.212.146.42:36692]
2022/12/23 11:14:57 [I] [proxy.go:162] [1301b7b684f870c3] [3090] get a user connection [124.160.90.29:9225]
2022/12/23 11:15:18 [I] [proxy.go:162] [1301b7b684f870c3] [3090] get a user connection [124.160.90.29:17673]
2022/12/23 11:15:37 [I] [proxy.go:162] [1301b7b684f870c3] [3090] get a user connection [124.160.90.29:20182]
2022/12/23 11:15:56 [I] [proxy.go:162] [1301b7b684f870c3] [3090] get a user connection [124.160.90.29:2162]

来源地址：https://blog.csdn.net/weixin_45673197/article/details/128414283