【iptables】防火墙白名单配置

端口关闭与开放白名单
有一台 es 端口9200，想指定白名单创建连接，于是先把这个端口的所有监听先关闭掉，再对应添加白名单

(10.12.3.11 指的是客户端的 ip， 9200 指的是要访问的服务端的服务端口 )

iptables -I INPUT -p tcp --dport 9200 -j DROP
iptables -I INPUT -s 10.12.3.11 -ptcp --dport 9200 -j ACCEPT
iptables -I INPUT -s 10.12.3.12 -ptcp --dport 9200 -j ACCEPT

第二种方式：
vim /etc/sysconfig/iptables
-A INPUT -s 10.xx.xx.xx/24 -p tcp -m tcp --dport 8888 -j ACCEPT
-A INPUT -s 10.xx.xx.xx/24 -p tcp -m tcp --dport 9999 -j ACCEPT

然后重启下
systemctl restart iptables

把某个端口全部封掉

不在授权IP/IP段范围内的，全部拒绝访问

-A INPUT -p tcp -m tcp --dport 9200 -j DROP
-A INPUT -p tcp -m tcp --dport 9300 -j DROP
-A INPUT -p tcp -m tcp --dport 8080 -j DROP

注：

DROP的配置要放在最底下，ACCEPT的配置要放在 DROP的上面，不然 ACCEPT 无法生效。

常见错误

1、修改iptables 文件（任何配置文件），都应该做好备份
2、如果出现以下错误，很可能是iptables文件写错了 —— 把 iptables 还原一下，然后，再逐项修改。

[root@server-1 sysconfig]# systemctl status iptables.service
● iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Wed 2024-05-15 11:18:33 CST; 11s ago
Process: 1944963 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=1/F>
Main PID: 1944963 (code=exited, status=1/FAILURE)

5月 15 11:18:32 server-1 systemd[1]: Starting IPv4 firewall with iptables...
5月 15 11:18:32 server-1 iptables.init[1944963]: iptables: Applying firewall rules:
5月 15 11:18:32 server-1 iptables.init[1944968]: iptables-restore: line 242 failed
5月 15 11:18:33 server-1 iptables.init[1944963]: [FAILED]
5月 15 11:18:33 server-1 systemd[1]: iptables.service: Main process exited, code=exited, status>
5月 15 11:18:33 server-1 systemd[1]: iptables.service: Failed with result 'exit-code'.
5月 15 11:18:33 server-1 systemd[1]: Failed to start IPv4 firewall with iptables.

一个iptables 的模板

修改里面的白名单，或需要封堵的端口

 # Generated by iptables-save v1.8.5 on Mon Aug 14 16:11:29 2023
*mangle
:PREROUTING ACCEPT [844569160:284511034935]
:INPUT ACCEPT [844569148:284511034072]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [893739620:233817271910]
:POSTROUTING ACCEPT [893739620:233817271910]
:LIBVIRT_PRT - [0:0]
-A POSTROUTING -j LIBVIRT_PRT
-A LIBVIRT_PRT -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Mon Aug 14 16:11:29 2023
# Generated by iptables-save v1.8.5 on Mon Aug 14 16:11:29 2023
*nat
:PREROUTING ACCEPT [137691:11045826]
:INPUT ACCEPT [131938:10693261]
:OUTPUT ACCEPT [2360280:255959506]
:POSTROUTING ACCEPT [2360280:255959506]
:DOCKER - [0:0]
:LIBVIRT_PRT - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -j LIBVIRT_PRT
-A DOCKER -i docker0 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 -d 255.255.255.255 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Mon Aug 14 16:11:29 2023
# Generated by iptables-save v1.8.5 on Mon Aug 14 16:11:29 2023
*filter
:INPUT ACCEPT [19651:9179734]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [32642:8938512]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
:LIBVIRT_FWI - [0:0]
:LIBVIRT_FWO - [0:0]
:LIBVIRT_FWX - [0:0]
:LIBVIRT_INP - [0:0]
:LIBVIRT_OUT - [0:0]
:l - [0:0]
 
 
 
# IP端口白名单
-A INPUT -s 10.11.35.113 -p tcp -m tcp --dport 6379 -j ACCEPT
-A INPUT -s 10.11.35.112 -p tcp -m tcp --dport 6379 -j ACCEPT
-A INPUT -s 10.11.35.111 -p tcp -m tcp --dport 6379 -j ACCEPT
 
 
# 不在授权IP/IP段范围内的，全部拒绝访问
-A INPUT -p tcp -m tcp --dport 6379 -j DROP
-A INPUT -p tcp -m tcp --dport 8080 -j DROP
 
 
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
COMMIT
# Completed on Mon Aug 14 16:11:29 2023

posted @ 2023-04-03 20:29 aaacarrot 阅读(740) 评论(0) 编辑收藏举报

刷新页面返回顶部

登录后才能查看或发表评论，立即登录或者逛逛博客园首页

相关博文：

· centos下Iptables的安装(离线)

· 关于防火墙的记录

· Linux-iptables

· iptables简单配置

· iptables 允许特定主机访问本机，其他所有 IP 拒绝

历史上的今天：
2022-04-03 maven 依赖冲突

aaacarrot

【iptables】防火墙白名单配置

不在授权IP/IP段范围内的，全部拒绝访问

注：

常见错误

一个iptables 的模板

常用链接

我的标签

随笔分类

随笔档案

文章分类

阅读排行榜

评论排行榜

推荐排行榜

最新评论

	# Generated by iptables-save v1.8.5 on Mon Aug 14 16:11:29 2023
	*mangle
	:PREROUTING ACCEPT [844569160:284511034935]
	:INPUT ACCEPT [844569148:284511034072]
	:FORWARD ACCEPT [0:0]
	:OUTPUT ACCEPT [893739620:233817271910]
	:POSTROUTING ACCEPT [893739620:233817271910]
	:LIBVIRT_PRT - [0:0]
	-A POSTROUTING -j LIBVIRT_PRT
	-A LIBVIRT_PRT -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
	COMMIT
	# Completed on Mon Aug 14 16:11:29 2023
	# Generated by iptables-save v1.8.5 on Mon Aug 14 16:11:29 2023
	*nat
	:PREROUTING ACCEPT [137691:11045826]
	:INPUT ACCEPT [131938:10693261]
	:OUTPUT ACCEPT [2360280:255959506]
	:POSTROUTING ACCEPT [2360280:255959506]
	:DOCKER - [0:0]
	:LIBVIRT_PRT - [0:0]
	-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
	-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
	-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
	-A POSTROUTING -j LIBVIRT_PRT
	-A DOCKER -i docker0 -j RETURN
	-A LIBVIRT_PRT -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
	-A LIBVIRT_PRT -s 192.168.122.0/24 -d 255.255.255.255 -j RETURN
	-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
	-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
	-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
	COMMIT
	# Completed on Mon Aug 14 16:11:29 2023
	# Generated by iptables-save v1.8.5 on Mon Aug 14 16:11:29 2023
	*filter
	:INPUT ACCEPT [19651:9179734]
	:FORWARD ACCEPT [0:0]
	:OUTPUT ACCEPT [32642:8938512]
	:DOCKER - [0:0]
	:DOCKER-ISOLATION-STAGE-1 - [0:0]
	:DOCKER-ISOLATION-STAGE-2 - [0:0]
	:DOCKER-USER - [0:0]
	:LIBVIRT_FWI - [0:0]
	:LIBVIRT_FWO - [0:0]
	:LIBVIRT_FWX - [0:0]
	:LIBVIRT_INP - [0:0]
	:LIBVIRT_OUT - [0:0]
	:l - [0:0]



	# IP端口白名单
	-A INPUT -s 10.11.35.113 -p tcp -m tcp --dport 6379 -j ACCEPT
	-A INPUT -s 10.11.35.112 -p tcp -m tcp --dport 6379 -j ACCEPT
	-A INPUT -s 10.11.35.111 -p tcp -m tcp --dport 6379 -j ACCEPT


	# 不在授权IP/IP段范围内的，全部拒绝访问
	-A INPUT -p tcp -m tcp --dport 6379 -j DROP
	-A INPUT -p tcp -m tcp --dport 8080 -j DROP


	-A FORWARD -j DOCKER-USER
	-A FORWARD -j DOCKER-ISOLATION-STAGE-1
	-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
	-A FORWARD -o docker0 -j DOCKER
	-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
	-A FORWARD -i docker0 -o docker0 -j ACCEPT
	-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
	-A DOCKER-ISOLATION-STAGE-1 -j RETURN
	-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
	-A DOCKER-ISOLATION-STAGE-2 -j RETURN
	-A DOCKER-USER -j RETURN
	COMMIT
	# Completed on Mon Aug 14 16:11:29 2023