centOS7 下利用iptables配置IP地址白名单的方法
<p>编辑iptables配置文件,将文件内容更改为如下,则具备了ip地址白名单功能<br>
#vim /etc/sysconfig/iptables</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterxhtml" id="highlighter_602682">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
<div class="line number7 index6 alt2">
7</div>
<div class="line number8 index7 alt1">
8</div>
<div class="line number9 index8 alt2">
9</div>
<div class="line number10 index9 alt1">
10</div>
<div class="line number11 index10 alt2">
11</div>
<div class="line number12 index11 alt1">
12</div>
<div class="line number13 index12 alt2">
13</div>
<div class="line number14 index13 alt1">
14</div>
<div class="line number15 index14 alt2">
15</div>
<div class="line number16 index15 alt1">
16</div>
<div class="line number17 index16 alt2">
17</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="xhtml plain">*filter </code>
</div>
<div class="line number2 index1 alt1">
<code class="xhtml plain">:INPUT ACCEPT </code>
</div>
<div class="line number3 index2 alt2">
<code class="xhtml plain">:FORWARD ACCEPT </code>
</div>
<div class="line number4 index3 alt1">
<code class="xhtml plain">:OUTPUT ACCEPT </code>
</div>
<div class="line number5 index4 alt2">
</div>
<div class="line number6 index5 alt1">
<code class="xhtml plain">-N whitelist </code>
</div>
<div class="line number7 index6 alt2">
<code class="xhtml plain">-A whitelist -s 1.2.3.0/24 -j ACCEPT </code>
</div>
<div class="line number8 index7 alt1">
<code class="xhtml plain">-A whitelist -s 4.5.6.7 -j ACCEPT </code>
</div>
<div class="line number9 index8 alt2">
</div>
<div class="line number10 index9 alt1">
<code class="xhtml plain">-A INPUT -m state --state RELATED,ESTABLISHED -j whitelist </code>
</div>
<div class="line number11 index10 alt2">
<code class="xhtml plain">-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j whitelist </code>
</div>
<div class="line number12 index11 alt1">
<code class="xhtml plain">-A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j whitelist </code>
</div>
<div class="line number13 index12 alt2">
<code class="xhtml plain">-A INPUT -p icmp -j ACCEPT </code>
</div>
<div class="line number14 index13 alt1">
<code class="xhtml plain">-A INPUT -i lo -j ACCEPT </code>
</div>
<div class="line number15 index14 alt2">
<code class="xhtml plain">-A INPUT -j REJECT --reject-with icmp-host-prohibited </code>
</div>
<div class="line number16 index15 alt1">
<code class="xhtml plain">-A FORWARD -j REJECT --reject-with icmp-host-prohibited </code>
</div>
<div class="line number17 index16 alt2">
<code class="xhtml plain">COMMIT </code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
6~8 行是添加白名单列表,可以是ip段或者单个ip地址</p>
<p>
10~12行 注意的是“-j whitelist”而不是“-j ACCEPT”,前者将该端口访问权限限制在白名单内,后者为不限制</p>
<p>
13行 任何ip地址都能ping通该主机,因为“-j ACCEPT”没有做相应限制</p>
<p>
配置完毕后,运行命令重启防火墙使规则生效</p>
<p>
#systemctl restart iptables.service</p>
<p>
以上这篇centOS7 下利用iptables配置IP地址白名单的方法就是小编分享给大家的全部内容了,希望能给大家一个参考,也希望大家多多支持服务器之家。</p>
頁:
[1]