一、首先删除掉系统默认放行的ssh服务
[root@localhost ~]# firewall-cmd --list-service ssh dhcpv6-client
[root@localhost ~]# firewall-cmd --remove-service=ssh --permanent success [root@localhost ~]# firewall-cmd --reload success [root@localhost ~]# firewall-cmd --list-service dhcpv6-client
二、添加富规则如下
[root@localhost ~]# firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="172.28.146.109" port protocol="tcp" port="25601" accept' success [root@localhost ~]# firewall-cmd --reload success [root@localhost ~]# firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: em1 sources: services: ssh dhcpv6-client ports: 25601/tcp 8079/tcp 7890/tcp 10050/tcp 8801/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv4" source address="172.28.146.109" port port="25601" protocol="tcp" accept
source address指定访问的源ip,可以是地址段172.28.146.1/24 ,如果添加多个IP,可以重复执行上面的语句进行添加
如果这里加错了,可以删除规则重新添加
[root@localhost ~]# firewall-cmd --remove-rich-rule='rule family="ipv4" source address="172.28.146.109" port port="25601" protocol="tcp" accept' --permanent success [root@localhost ~]# firewall-cmd --reload success
三、删除掉原来指定的访问端口25601
[root@localhost ~]# firewall-cmd --remove-port=25601/tcp --permanent success [root@localhost ~]# firewall-cmd --reload success
这样,只有172.28.146.109这台IP的机器才能SSH连接25601端口了