Linux hosts.allow和hosts.deny控制网络访问
Linux have different type of perimeters to restrict and control network access. hosts.allow
and hosts.deny
files are one way of those. The TCP wrapper, ssh, ftp applications generally use rules provided in this configuration files. We will look different usage types and examples for hosts.allow
and hosts.deny
files in this tutorial
Linux具有不同类型的边界来限制和控制网络访问。 hosts.allow
和hosts.deny
文件是其中一种方法。 TCP包装器,ssh,ftp应用程序通常使用此配置文件中提供的规则。 在本教程中,我们将为hosts.allow
和hosts.deny
文件查找不同的用法类型和示例。
These rules describes simple access control language based client host name, address, user name and server process name, host name and address patterns.
这些规则描述了基于简单访问控制语言的客户端主机名,地址,用户名和服务器进程名,主机名和地址模式。
句法 (Syntax)
As we know rules are inserted info files. Here is the rule syntax
众所周知,规则是插入的信息文件。 这是规则语法
daemon:client[option1:option2:...]
帮帮我 (Help)
$ man hosts.allow
工作优先(Work Precedence)
While using rules in files host.allow
and hosts.deny
there are some precedence. The following flow is executed.
在文件host.allow
和hosts.deny
使用规则时,有一些优先级。 执行以下流程。
Look
hosts.allow
看
hosts.allow
- If match allow and exit 如果匹配允许并退出
Look
hosts.deny
看
hosts.deny
- If match deny if not allow 如果匹配,则拒绝,如果不允许
允许(Allow)
To allow applications, hosts to use servers services Allow
rules are used. These Allow rules are placed into hosts.allow
file. In the example we allow all hosts in the 192.168.0.0/16
to use servers all ports and services.
为了允许应用程序,主机使用服务器服务Allow
规则。 这些允许规则放置在hosts.allow
文件中。 在示例中,我们允许192.168.0.0/16
所有主机使用服务器的所有端口和服务。
ALL: 192.168.
拒绝 (Deny)
To deny hosts and applications we will use Deny
rules. Deny rules are places into hosts.deny
. In the example we will deny all hosts to connect and use servers services. But keep in mind in the previous example we have allowed some networks and other than these networks will not be able to use servers services.
要拒绝主机和应用程序,我们将使用Deny
规则。 拒绝规则位于hosts.deny
。 在该示例中,我们将拒绝所有主机连接和使用服务器服务。 但是请记住,在前面的示例中,我们允许某些网络,而这些网络以外的其他网络将无法使用服务器服务。
ALL: ALL
评论 (Comment)
In the time there will be a lot of rules in the hosts files. They may become unmanageable if we do not put some notes or comments about the rules. Comments can be put with #
sign. In the example we write some note about rules
到时主机文件中会有很多规则。 如果我们不对规则做一些注释或评论,它们可能变得难以管理。 注释可以带有#
号。 在示例中,我们写了一些有关规则的注释
# Home users
ALL: 192.168.
#Delete this 30.03.2017
ALL: poftut.com
记录 (Log)
While using rules about Allow and Deny these actions may need to logged. Logs will be generated with spawn mechanism. Spawn is use to create new process if specified rule matched. In the example we will generate a log which contain current date if a host from 172.16.0.0/24 tries to access vsftpd service.
在使用有关“允许”和“拒绝”的规则时,可能需要记录这些操作。 日志将通过生成机制生成。 如果指定规则匹配,则Spawn用于创建新进程。 在此示例中,如果来自172.16.0.0/24的主机尝试访问vsftpd服务,我们将生成一个包含当前日期的日志。
vsftpd:172.16. :spawn /bin/echo '/bin/date' access denied >> /var/log/vsftpd:deny
定义多个主机 (Define Multiple Hosts)
There is also support for multiple hosts. We can define multiple hosts by separating them with commas. In the example we will define 2 host names, 1 IP address and 1 network.
还支持多个主机。 我们可以用逗号分隔多个主机。 在示例中,我们将定义2个主机名,1个IP地址和1个网络。
ALL: dns.poftut.com, mail.poftut.com, 212.23.4.12, 10.5.
dns.poftut.com
,mail.poftut.com
are host namesdns.poftut.com
,mail.poftut.com
是主机名212.23.4.12
is a single IP address212.23.4.12
是单个IP地址10.5.
specifies network 10.5.0.0/16 in CIDR presentation10.5.
在CIDR表示中指定网络10.5.0.0/16
除定义外 (Except Definition)
We can define NOT
logic in rules. Generally IP address or network ranges are used with this logic. We put ALL EXCEPT
as a prefix to the related IP address or network range to exclude. In this example we will define all hosts except 10.0.0.0/24
我们可以在规则中定义NOT
逻辑。 通常,此逻辑使用IP地址或网络范围。 我们将ALL EXCEPT
作为要排除的相关IP地址或网络范围的前缀。 在此示例中,我们将定义除10.0.0.0/24
之外的所有主机
ALL: ALL EXCEPT 10.
翻译自: https://www.poftut.com/linux-hosts-allow-hosts-deny-control-network-access/