首页 › RedHat/Centos论坛 › CentOS 7 配置白名单

邵鹏飛 發表於 2020-9-22 20:44:00

CentOS 7 配置白名单

<h3>CentOS 7 配置白名单</h3>
<hr>
<p>&nbsp;</p>
<p>在一些网络安全要求比较高的场景下（比如：客户现场部署的环境，客户要求部署服务的机器均需经过安全扫描和漏洞检测），为了保证机器上的服务不会被恶意攻击，</p>
<p>我们可以通过一些手段进行控制（比如，MySQL数据库的访问权限控制，我们可以通过SQL命令对可访问机器进行控制）。</p>
<p>更为便捷的方式，可以通过 Linux 系统自带的防火墙功能，通过针对特定的<span style="color: rgba(255, 0, 0, 1)"> IP</span> 和 <span style="color: rgba(255, 0, 0, 1)">port&nbsp;</span><span style="color: rgba(255, 0, 0, 1)"><strong>添加白名单</strong></span>的方式，进行安全访问控制，杜绝外部恶意访问和攻击。</p>
<p>&nbsp;</p>
<p>在配置白名单前，需要保证 CentOS 7的机器上有 iptables文件。</p>
<p>iptables服务的安装，可以参考：https://www.cnblogs.com/miracle-luna/p/13714709.html</p>
<p>&nbsp;</p>
<p>如果想实现如下效果：</p>
<p>1）允许 10.105.211.10，10.105.211.11，10.105.211.12 这三台机器访问该机器的&nbsp; UDP端口 111和123 ，TCP端口 3306，</p>
<p>2）允许其他机器访问该机器的除了TCP端口 8080和 8082 以外的其他端口。</p>
<p>&nbsp;</p>
<h3>方式1（<span style="color: rgba(255, 0, 0, 1)">常规配置</span>）：</h3>
<p>iptables 文件配置如下：</p>
<div class="cnblogs_code">
<pre># sample configuration <span style="color: rgba(0, 0, 255, 1)">for</span><span style="color: rgba(0, 0, 0, 1)"> iptables service
# you can edit this manually or use system</span>-config-<span style="color: rgba(0, 0, 0, 1)">firewall
# please </span><span style="color: rgba(0, 0, 255, 1)">do</span> not ask us to add additional ports/<span style="color: rgba(0, 0, 0, 1)">services to this default configuration
</span>*<span style="color: rgba(0, 0, 0, 1)">filter
:INPUT ACCEPT [</span><span style="color: rgba(128, 0, 128, 1)">0</span>:<span style="color: rgba(128, 0, 128, 1)">0</span><span style="color: rgba(0, 0, 0, 1)">]
:FORWARD ACCEPT [</span><span style="color: rgba(128, 0, 128, 1)">0</span>:<span style="color: rgba(128, 0, 128, 1)">0</span><span style="color: rgba(0, 0, 0, 1)">]
:OUTPUT ACCEPT [</span><span style="color: rgba(128, 0, 128, 1)">0</span>:<span style="color: rgba(128, 0, 128, 1)">0</span><span style="color: rgba(0, 0, 0, 1)">]

# 配置白名单中的源IP（</span><span style="color: rgba(128, 0, 128, 1)">10.105</span>.<span style="color: rgba(128, 0, 128, 1)">211.10</span>，<span style="color: rgba(128, 0, 128, 1)">10.105</span>.<span style="color: rgba(128, 0, 128, 1)">211.11</span>，<span style="color: rgba(128, 0, 128, 1)">10.105</span>.<span style="color: rgba(128, 0, 128, 1)">211.12</span><span style="color: rgba(0, 0, 0, 1)">）
</span>-<span style="color: rgba(0, 0, 0, 1)">N whitelist
</span>-A whitelist -s <span style="color: rgba(128, 0, 128, 1)">10.105</span>.<span style="color: rgba(128, 0, 128, 1)">211.10</span> -<span style="color: rgba(0, 0, 0, 1)">j ACCEPT
</span>-A whitelist -s <span style="color: rgba(128, 0, 128, 1)">10.105</span>.<span style="color: rgba(128, 0, 128, 1)">211.11</span> -<span style="color: rgba(0, 0, 0, 1)">j ACCEPT
</span>-A whitelist -s <span style="color: rgba(128, 0, 128, 1)">10.105</span>.<span style="color: rgba(128, 0, 128, 1)">211.12</span> -<span style="color: rgba(0, 0, 0, 1)">j ACCEPT

</span>-A INPUT -m state --state RELATED,ESTABLISHED -<span style="color: rgba(0, 0, 0, 1)">j ACCEPT
</span>-A INPUT -p icmp -<span style="color: rgba(0, 0, 0, 1)">j ACCEPT
</span>-A INPUT -i lo -<span style="color: rgba(0, 0, 0, 1)">j ACCEPT

# 白名单中的机器允许访问 UDP端口 111和123
</span>-A INPUT -m state --state NEW -p udp --dport <span style="color: rgba(128, 0, 128, 1)">111</span> -<span style="color: rgba(0, 0, 0, 1)">j whitelist
</span>-A INPUT -m state --state NEW -p udp --dport <span style="color: rgba(128, 0, 128, 1)">123</span> -<span style="color: rgba(0, 0, 0, 1)">j whitelist

# 白名单中的机器允许访问 TCP端口 </span><span style="color: rgba(128, 0, 128, 1)">3306</span>
-A INPUT -m state --state NEW -m tcp -p tcp --dport <span style="color: rgba(128, 0, 128, 1)">3306</span> -<span style="color: rgba(0, 0, 0, 1)">j whitelist

# 其他机器允许访问 除了TCP端口 8080和 </span><span style="color: rgba(128, 0, 128, 1)">8082</span> 以外的其他端口（此时的!<span style="color: rgba(0, 0, 0, 1)">表示取反）
</span>-A INPUT -p tcp <strong><span style="color: rgba(255, 0, 0, 1)">!</span></strong> --dport <span style="color: rgba(128, 0, 128, 1)">8080</span> -<span style="color: rgba(0, 0, 0, 1)">j ACCEPT
</span>-A INPUT -p tcp <strong><span style="color: rgba(255, 0, 0, 1)">!</span></strong> --dport <span style="color: rgba(128, 0, 128, 1)">8082</span> -<span style="color: rgba(0, 0, 0, 1)">j ACCEPT

</span>-A INPUT -j REJECT --reject-with icmp-host-<span style="color: rgba(0, 0, 0, 1)">prohibited
</span>-A FORWARD -j REJECT --reject-with icmp-host-<span style="color: rgba(0, 0, 0, 1)">prohibited
COMMIT</span></pre>
</div>
<p>（<strong><span style="color: rgba(255, 0, 0, 1)">说明</span></strong>：<span style="color: rgba(255, 0, 0, 1)">!</span> 是表示取反，注意&nbsp;<strong><span style="color: rgba(255, 0, 0, 1)">!&nbsp;</span></strong>两侧是<span style="color: rgba(255, 0, 0, 1)">有空格</span>的，否则，会报错）</p>
<p>&nbsp;</p>
<h3>方式2（<span style="color: rgba(255, 0, 0, 1)">简洁</span>配置）：</h3>
<div class="cnblogs_code">
<pre># sample configuration <span style="color: rgba(0, 0, 255, 1)">for</span><span style="color: rgba(0, 0, 0, 1)"> iptables service
# you can edit this manually or use system</span>-config-<span style="color: rgba(0, 0, 0, 1)">firewall
# please </span><span style="color: rgba(0, 0, 255, 1)">do</span> not ask us to add additional ports/<span style="color: rgba(0, 0, 0, 1)">services to this default configuration
</span>*<span style="color: rgba(0, 0, 0, 1)">filter
:INPUT ACCEPT [</span><span style="color: rgba(128, 0, 128, 1)">0</span>:<span style="color: rgba(128, 0, 128, 1)">0</span><span style="color: rgba(0, 0, 0, 1)">]
:FORWARD ACCEPT [</span><span style="color: rgba(128, 0, 128, 1)">0</span>:<span style="color: rgba(128, 0, 128, 1)">0</span><span style="color: rgba(0, 0, 0, 1)">]
:OUTPUT ACCEPT [</span><span style="color: rgba(128, 0, 128, 1)">0</span>:<span style="color: rgba(128, 0, 128, 1)">0</span><span style="color: rgba(0, 0, 0, 1)">]

# 配置白名单中的源IP（</span><span style="color: rgba(128, 0, 128, 1)">10.105</span>.<span style="color: rgba(128, 0, 128, 1)">211.10</span>，<span style="color: rgba(128, 0, 128, 1)">10.105</span>.<span style="color: rgba(128, 0, 128, 1)">211.11</span>，<span style="color: rgba(128, 0, 128, 1)">10.105</span>.<span style="color: rgba(128, 0, 128, 1)">211.12</span><span style="color: rgba(0, 0, 0, 1)">）
</span>-<span style="color: rgba(0, 0, 0, 1)">N whitelist
</span>-A whitelist -s <span style="color: rgba(255, 0, 0, 1)">10.105.211.10,10.105.211.11,10.105.211.12</span> -<span style="color: rgba(0, 0, 0, 1)">j ACCEPT

</span>-A INPUT -m state --state RELATED,ESTABLISHED -<span style="color: rgba(0, 0, 0, 1)">j ACCEPT
</span>-A INPUT -p icmp -<span style="color: rgba(0, 0, 0, 1)">j ACCEPT
</span>-A INPUT -i lo -<span style="color: rgba(0, 0, 0, 1)">j ACCEPT

# 白名单中的机器允许访问 UDP端口 111和123
</span>-A INPUT -m state --state NEW -p udp <strong><span style="color: rgba(255, 0, 0, 1)">-m multiport</span></strong> --dport <span style="color: rgba(255, 0, 0, 1)">111, 123</span> -<span style="color: rgba(0, 0, 0, 1)">j whitelist

# 白名单中的机器允许访问 TCP端口 </span><span style="color: rgba(128, 0, 128, 1)">3306</span>
-A INPUT -m state --state NEW -m tcp -p tcp --dport <span style="color: rgba(128, 0, 128, 1)">3306</span> -<span style="color: rgba(0, 0, 0, 1)">j whitelist

# 其他机器允许访问 除了TCP端口 8080和 </span><span style="color: rgba(128, 0, 128, 1)">8082</span> 以外的其他端口（此时的!<span style="color: rgba(0, 0, 0, 1)">表示取反）
</span>-A INPUT -p tcp<span style="color: rgba(255, 0, 0, 1)"><strong> -m multiport</strong></span> ! --dport <span style="color: rgba(255, 0, 0, 1)">8080,8082</span> -<span style="color: rgba(0, 0, 0, 1)">j ACCEPT

</span>-A INPUT -j REJECT --reject-with icmp-host-<span style="color: rgba(0, 0, 0, 1)">prohibited
</span>-A FORWARD -j REJECT --reject-with icmp-host-<span style="color: rgba(0, 0, 0, 1)">prohibited
COMMIT</span></pre>
</div>
<p>（<span style="color: rgba(255, 0, 0, 1)"><strong>说明</strong></span>：<span style="color: rgba(255, 0, 0, 1)">-m multiport</span>&nbsp;表示同时对多个端口操作；另外，多个IP或者多个端口之间，使用<span style="color: rgba(255, 0, 0, 1)">英文的<strong>逗号</strong></span>隔开，且中间不能有空格，否则，启动 iptables 服务会报错）</p>
<p>&nbsp;</p>
<h3>iptables 文件配置完，执行如下步骤：</h3>
<p>1、<strong><span style="color: rgba(255, 0, 0, 1)">保存</span></strong> iptables 配置，命令如下：</p>
<div class="cnblogs_code">
<pre>service iptables save</pre>
</div>
<p>&nbsp;</p>
<p><span style="color: rgba(0, 0, 0, 1)">2、<span style="color: rgba(255, 0, 0, 1)"><strong>重载</strong></span> iptables 文件</span></p>
<p>&nbsp;</p>
<div class="cnblogs_code">
<pre>systemctl reload iptables</pre>
</div>
<p>&nbsp;</p>
<p>或者&nbsp;</p>
<div class="cnblogs_code">
<pre>service iptables reload</pre>
</div>
<p>&nbsp;</p>
<p><span style="color: rgba(0, 0, 0, 1)">3、</span><span><span style="color: rgba(255, 0, 0, 1)"><strong>重启</strong></span></span> iptables 服务，命令如下：</p>
<div class="cnblogs_code">
<pre>systemctl restart iptables</pre>
</div>
<p>或者</p>
<div class="cnblogs_code">
<pre>service iptables restart</pre>
</div>
<p>&nbsp;</p>
<p>4、<span style="color: rgba(255, 0, 0, 1)"><strong>查看</strong> </span>iptables 服务<span style="color: rgba(255, 0, 0, 1)">状态</span>（服务状态为<span style="color: rgba(255, 0, 0, 1)">绿色</span>的 <strong><span style="color: rgba(255, 0, 0, 1)">active</span></strong>，表示 iptables 文件配置成功，服务正常）：</p>
<div class="cnblogs_code">
<pre>systemctl status iptables</pre>
</div>
<p>或者</p>
<div class="cnblogs_code">
<pre>service iptables status</pre>
</div>
<p>&nbsp;</p>
<p><img src="https://img2020.cnblogs.com/blog/1148440/202009/1148440-20200922212220748-926548004.png" alt="" loading="lazy"></p>
<p>&nbsp;</p><br><br>
来源：https://www.cnblogs.com/miracle-luna/p/13714809.html

查看完整版本: CentOS 7 配置白名单