通过防火墙配置SSH

１．先查看防火墙规则

[root@ye ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens32
  sources: 
  services: ssh dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

２．永久添加所有主机都允许的规则

[root@ye ~]# firewall-cmd --remove-service=ssh --permanent
success

３．永久添加指定主机允许的规则

[root@ye ~]# firewall-cmd --add-rich-rule 'rule family=ipv4 source address=192.168.26.121/24 service name=ssh accept' --permanent 
success

４．重新加载规则

[root@ye ~]# firewall-cmd --reload
success

５．查看

[root@ye ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens32
  sources: 
  services: dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	rule family="ipv4" source address="192.168.26.121/32" service name="ssh" accept

６．验证：

• 用规则允许的主机远程登录：可以登录

[root@peng ~]# ssh [email protected]
Last login: Mon Jan  7 16:16:53 2019 from 192.168.26.121
[root@peng ~]# ip a
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens32:  mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:c2:93:9c brd ff:ff:ff:ff:ff:ff
    inet 192.168.26.123/24 brd 192.168.26.255 scope global ens32
       valid_lft forever preferred_lft forever
    inet6 fe80::196b:b9c7:7962:9b05/64 scope link 
       valid_lft forever preferred_lft forever
[root@peng ~]# exit
logout
Connection to 192.168.26.121 closed.

• 在规则不允许的主机上远程登录：不能登录

[root@aaa ~]# ssh [email protected]
ssh: connect to host 192.168.26.123 port 22: No route to host
[root@aaa ~]# ip a
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens32:  mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:c2:93:9c brd ff:ff:ff:ff:ff:ff
    inet 192.168.26.122/24 brd 192.168.26.255 scope global ens32
       valid_lft forever preferred_lft forever
    inet6 fe80::196b:b9c7:7962:9b05/64 scope link 
       valid_lft forever preferred_lft forever