Marco Klein's questions

我在设置firewalld与docker和fail2ban完美连接时遇到问题。

首先，我想要实现的是以下流量路由设置：

[PUBLIC] -> 
  [FIREWALLD] -> (
    [143/tcp FORWARD PORT] -----> [DOCKER/143/tcp]
    [ 22/tcp]              -----> [openssh locally running]
  )

失败2ban

我设置了 fail2ban 来监听我的 docker 容器，检查身份验证错误并使用 设置禁令firewall-cmd。到目前为止，这很有效。只要我 3 次身份验证错误，它就会向防火墙发送命令。

端口转发

我还为 docker 设置了端口转发。我明确地设置了它，因为我不想让 docker 破坏我的网络。也许这是我将来不需要的东西，但它是通过StrictForwardPorts=yes配置配置的。https ://firewalld.org/2024/11/strict-forward-ports

目标

目标是每当触发 fail2ban 时，IP都不应再访问端口 143（转发端口），并且（可能）其他端口也不应再访问。但首先，我想逐个端口禁止。

问题

当前的问题是，如果创建了拒绝富规则，它将阻止该 IP 的端口 22，但不会阻止端口 143。

尝试 我还尝试将 IP 放入drop区域，并赋予其优先级-10。同样的错误结果。端口 22 被丢弃，但 143 仍然有效。

我做错了什么？这是我上次尝试的区域配置：

docker (active)
  target: ACCEPT
  ingress-priority: 0
  egress-priority: 0
  icmp-block-inversion: no
  interfaces: br-0aa8d4b5dde7 docker0
  sources: 
  services: 
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
        rule priority="-999" family="ipv4" source address="192.168.178.44" reject

drop (active)
  target: DROP
  ingress-priority: -10
  egress-priority: -10
  icmp-block-inversion: no
  interfaces: 
  sources: 192.168.178.44
  services: 
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

public (default, active)
  target: default
  ingress-priority: 0
  egress-priority: 0
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
        port=143:proto=tcp:toport=143:toaddr=172.18.0.2
  source-ports: 
  icmp-blocks: 
  rich rules: 
        rule priority="-999" family="ipv4" source address="192.168.178.44" reject

如图所示：实际上，地址 192.168.178.44 应该完全阻止进入公共区域。但事实并非如此。此外，我还将 IP 添加到了丢弃区。丢弃区优先级似乎正在发挥作用，因为我的 SSH 连接被丢弃而不是被拒绝，但端口 143 仍然可以访问

更新 1：一些调试信息

$ sudo firewall-cmd --get-policies
allow-host-ipv6 docker-forwarding

更新 2：--info-policy=docker-forwarding

docker-forwarding (active)
  priority: -1
  target: ACCEPT
  ingress-zones: ANY
  egress-zones: docker
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: `

更新 3：

我想到另一个想法是创建另一个优先级为 -10 的策略，其中包含丰富的规则：

sudo firewall-cmd --permanent --new-policy ban-pre-routing
sudo firewall-cmd --permanent --policy ban-pre-routing --add-ingress-zone ANY
sudo firewall-cmd --permanent --policy ban-pre-routing --add-egress-zone HOST
sudo firewall-cmd --permanent --policy ban-pre-routing --set-priority -10
sudo firewall-cmd --permanent --policy ban-pre-routing --add-rich-rule="rule family=ipv4 source address=192.168.178.44 port port=143 protocol=tcp reject"

仍然没有效果。我的 *.44 主机仍然可以连接到机器。如果我省略该port port=143 protocol=tcp部分，它会阻止机器使用 ssh - 但仍然能够访问端口 143。

更新 4： 使用更新 3 并将策略配置为出口区域 docker，不会产生差异。我的配置现在如下所示：

$ sudo firewall-cmd --list-all-policies
allow-host-ipv6 (active)
  priority: -15000
  target: CONTINUE
  ingress-zones: ANY
  egress-zones: HOST
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
        rule family="ipv6" icmp-type name="neighbour-advertisement" accept
        rule family="ipv6" icmp-type name="neighbour-solicitation" accept
        rule family="ipv6" icmp-type name="redirect" accept
        rule family="ipv6" icmp-type name="router-advertisement" accept

ban-pre-routing (active)
  priority: -10
  target: CONTINUE
  ingress-zones: ANY
  egress-zones: docker
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
        rule family="ipv4" source address="192.168.178.44" port port="143" protocol="tcp" reject

docker-forwarding (active)
  priority: -1
  target: ACCEPT
  ingress-zones: ANY
  egress-zones: docker
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

对于区域：

$ sudo firewall-cmd --list-all --zone=public
public (default, active)
  target: default
  ingress-priority: 0
  egress-priority: 0
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
        port=143:proto=tcp:toport=143:toaddr=172.18.0.2
  source-ports: 
  icmp-blocks: 
  rich rules: 

$ sudo firewall-cmd --list-all --zone=drop
drop
  target: DROP
  ingress-priority: 0
  egress-priority: 0
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

$ sudo firewall-cmd --list-all --zone=docker
docker (active)
  target: ACCEPT
  ingress-priority: 0
  egress-priority: 0
  icmp-block-inversion: no
  interfaces: br-c5f172e4effe docker0
  sources: 
  services: 
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: