目 录CONTENT

文章目录

Centos7配置iptables来实现白名单访问固定端口

yyzq
2022-08-01 / 2 评论 / 2 点赞 / 1,340 阅读 / 685 字

iptables配置方法

1.查看之前是否打开iptables

systemctl status iptables  #查看当前是否打开iptables
iptables -nL  #查看当前规则

2.如果没有安装iptables,需要安装

wget https://alist.yyzq.cf/d/%20%E6%9C%AC%E5%9C%B0%E7%BD%91%E7%9B%98/linux/iptables/iptables-1.4.21-35.el7.x86_64.rpm #下载安装包
wget https://alist.yyzq.cf/d/%20%E6%9C%AC%E5%9C%B0%E7%BD%91%E7%9B%98/linux/iptables/iptables-services-1.4.21-35.el7.x86_64.rpm #下载安装包
ll  #查看下载的文件
rpm -Uvh iptables-1.4.21-35.el7.x86_64.rpm #本地安装
rpm -Uvh iptables-services-1.4.21-35.el7.x86_64.rpm #本地安装
cp /etc/sysconfig/iptables /etc/sysconfig/iptables_bak #由于之前没有使用iptables,直接备份默认规则

3.写入新规则

3.1编辑配置文件


vim /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
#添加白名单
-A INPUT -s 35.241.119.219 -j ACCEPT
-A INPUT -s 192.168.131.194 -j ACCEPT
-A INPUT -s 192.168.131.195 -j ACCEPT
-A INPUT -s 192.168.131.196 -j ACCEPT
-A INPUT -s 192.168.131.197 -j ACCEPT
-A INPUT -s 192.168.131.198 -j ACCEPT
-A INPUT -s 192.168.131.199 -j ACCEPT
-A INPUT -s 192.168.131.200 -j ACCEPT
-A INPUT -s 192.168.131.201 -j ACCEPT
-A INPUT -s 192.168.131.202 -j ACCEPT
-A INPUT -s 192.168.131.203 -j ACCEPT
-A INPUT -s 192.168.131.204 -j ACCEPT
-A INPUT -s 192.168.131.205 -j ACCEPT
-A INPUT -s 192.168.131.206 -j ACCEPT
-A INPUT -s 192.168.131.207 -j ACCEPT
-A INPUT -s 192.168.131.208 -j ACCEPT
-A INPUT -s 192.168.131.209 -j ACCEPT
-A INPUT -s 192.168.131.210 -j ACCEPT
-A INPUT -s 192.168.131.211 -j ACCEPT
-A INPUT -s 192.168.131.212 -j ACCEPT
-A INPUT -s 192.168.131.213 -j ACCEPT
-A INPUT -s 192.168.131.214 -j ACCEPT
-A INPUT -s 34.92.77.242 -j ACCEPT

#除了白名单的ip其他IP全部拒绝9999端口

-A INPUT -p tcp --dport 9999 -j DROP

COMMIT

3.2命令的方式添加

注意:此种方式是临时生效,只要重启iptables就会失效

禁止访问8068端口

iptables -I INPUT -p tcp --dport 8068 -j DROP 

允许182.118.237.80-182.118.237.100 段的IP访问3306

iptables -I INPUT -m iprange --src-range 182.118.237.80-182.118.237.100 -p tcp --dport 8068 -j ACCEPT 

添加一整段IP白名单

iptables -I INPUT -p tcp -s 182.118.0.0/16 -j ACCEPT

4.重启iptables

systemctl restart iptables    #重启iptables
iptables -nL   #再次查看新规则

5.删除规则

vim /etc/sysconfig/iptables  #如果需要删除规则再次编辑此文件
systemctl restart iptables    #重启iptables

2

评论区