一、首先删除掉系统默认放行的ssh服务

[root@localhost ~]# firewall-cmd --list-service
ssh dhcpv6-client

[root@localhost ~]# firewall-cmd --remove-service=ssh --permanent
success
[root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]# firewall-cmd --list-service
dhcpv6-client

二、添加富规则如下

[root@localhost ~]# firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="172.28.146.109" port protocol="tcp" port="25601" accept'
success
[root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: em1
  sources: 
  services: ssh dhcpv6-client
  ports: 25601/tcp 8079/tcp 7890/tcp 10050/tcp 8801/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
        rule family="ipv4" source address="172.28.146.109" port port="25601" protocol="tcp" accept

source address指定访问的源ip，可以是地址段172.28.146.1/24 ，如果添加多个IP，可以重复执行上面的语句进行添加

如果这里加错了，可以删除规则重新添加

[root@localhost ~]# firewall-cmd --remove-rich-rule='rule family="ipv4" source address="172.28.146.109" port port="25601" protocol="tcp" accept' --permanent
success
[root@localhost ~]# firewall-cmd --reload  
success

 

三、删除掉原来指定的访问端口25601

[root@localhost ~]# firewall-cmd --remove-port=25601/tcp --permanent
success
[root@localhost ~]# firewall-cmd --reload
success

这样，只有172.28.146.109这台IP的机器才能SSH连接25601端口了