ubuntu 操作系统下的ufw 防火墙配置 (二)
7)指定网段开放端口
假设你希望允许IP地址为192.168.1.10的主机连接SSH(默认端口为22),可以使用以下命令:
ufw allow from 192.168.1.10 to any port 22 proto tcp
#网段
sudo ufw allow from 192.168.1.0/24 to any port 22
#其他端口
sudo ufw allow from 192.168.1.0/24 to any port 80
#案例
root@meng:~# ufw allow from 192.168.1.17 to any port 22 proto tcp
Rule added
root@meng:~# ufw status
Status: active
To Action From
22/tcp ALLOW 192.168.1.17
root@meng:~# ufw allow from 192.168.10.17 to any port 22 proto tcp
Rule added
root@meng:~# ufw status
Status: active
To Action From
22/tcp ALLOW 192.168.1.17
22/tcp ALLOW 192.168.10.17
8)设置默认策略: 为了确保安全,设置默认策略为拒绝所有入站流量,并允许所有出站流量。
sudo ufw default deny incoming
sudo ufw default allow outgoing
root@meng:~# ufw default deny incoming
Default incoming policy changed to 'deny'
(be sure to update your rules accordingly)
root@meng:~# ufw default allow outgoing
Default outgoing policy changed to 'allow'
(be sure to update your rules accordingly)
9)删除规则
显示序号
sudo ufw status numbered
root@meng:~# ufw status numbered
Status: active
To Action From -- ------ ----
[ 1] 22/tcp ALLOW IN 192.168.1.17
[ 2] 22/tcp ALLOW IN 192.168.10.17
[ 3] 22/tcp ALLOW IN 192.168.204.179
[ 4] 22/tcp ALLOW IN 192.168.10.1
root@meng:~# ufw delete 1
Deleting:
allow from 192.168.1.17 to any port 22 proto tcp
Proceed with operation (y|n)? y
Rule deleted
root@meng:~# ufw status
Status: active
To Action From
22/tcp ALLOW 192.168.10.17
22/tcp ALLOW 192.168.204.179
22/tcp ALLOW 192.168.10.1
root@meng:~# ufw status numbered
Status: active
To Action From -- ------ ----
[ 1] 22/tcp ALLOW IN 192.168.10.17
[ 2] 22/tcp ALLOW IN 192.168.204.179
[ 3] 22/tcp ALLOW IN 192.168.10.1