ESXi 限制源地址 Ping 或者禁用 Ping?通过配置静态路由变通实现
ESXi 防火墙可以限制源地址访问特定服务,比如 SSH、vSphere Client等,但是无法定制 ICMP 规则,默认是允许,也无法禁用。但是可以通过路由的配置进行变通处理。
首先,ESXi vmkernel 端口不要配置默认网关(或者配置后删除),即管理地址默认网关留空,通过添加静态路由的方式变相实现仅允许特定源地址访问。详见配置vmkernel端口静态路由。
官方文档步骤:
1. To add a static route, run the command:
esxcli network ip route ipv4/ipv6 add --gateway IPv4_address_of_router --network IPv4_address
For example, to add a route to 192.168.100.0 network with a /24 bit subnet mask (255.255.255.0) through a router with an IP address of 192.168.0.1, run this command:
esxcli network ip route ipv4 add --gateway 192.168.0.1 --network 192.168.100.0/24
2. To list the route, run the command:
esxcli network ip route ipv4 list
3. To remove a static route, run the command:
esxcli network ip route ipv4 remove -n network_ip/mask -g gateway_ip
For example, to remove a route from 192.168.100.0 network with a /24 bit subnet mask (255.255.255.0) through a router with an IP address of 192.168.0.1, run this command:
esxcli network ip route ipv4 remove -n 192.168.100.0/24 -g 192.168.0.1
4. When finished, check the host’s current routing table with the esxcfg-route -l command. Any static routes display in the output.
实例:
#查看路由
esxcfg-route -l
#添加
esxcli network ip route ipv4 add --gateway 10.10.190.1 --network 10.10.177.0/24
esxcli network ip route ipv4 add --gateway 10.10.190.1 --network 10.10.179.0/24
esxcli network ip route ipv4 add --gateway 10.10.190.1 --network 10.10.180.0/24
esxcli network ip route ipv4 add --gateway 10.10.190.1 --network 10.10.190.0/24
esxcli network ip route ipv4 add --gateway 10.10.190.1 --network 10.10.191.0/24
#删除默认路由
esxcli network ip route ipv4 remove -n 0.0.0.0/0 -g 10.10.190.1
#恢复默认路由
esxcli network ip route ipv4 add --gateway 10.10.190.1 --network 0.0.0.0/0
#查看路由
esxcfg-route -l