/etc/host.deny RHEL 8开始已经移除 tcp_wrappers不可用 以后 deb系也会移除的
还是用新版 nftables防火墙做入站白名单吧
# nfttables
nft flush ruleset
# 1
nft add table inet filter
nft add chain inet filter input { type filter hook input priority 0 \; policy drop \; }
nft add rule inet filter input iif "lo" accept
nft add rule inet filter input ct state { established, related } accept
nft add rule inet filter input ct state invalid drop
nft add rule inet filter input icmpv6 type { nd-nei**or-advert, nd-nei**or-solicit, nd-redirect, nd-router-advert, nd-router-solicit } accept
nft add rule inet filter input icmp type echo-request limit rate 1 /second accept
nft add rule inet filter input icmpv6 type echo-request limit rate 1 /second accept
nft add rule inet filter input iif "eth0" tcp dport 22 ip saddr
10.1.1.0/24
accept
nft add rule inet filter input iif "eth0" tcp dport 22 ip6 saddr
240e:350::/29
accept
nft add rule inet filter input iif "eth0" tcp dport { 80, 443 } accept
nft add rule inet filter input iif "eth0" udp dport { 53 } accept
