一、禁用firewalld 安装iptables
systemctl disable firewalld
systemctl mask firewall
yum install iptables iptables-services
systemctl enable iptables.service
二、关闭SELINUX
至于为什么关闭selinux,请看知乎网友的回答 GO
vi /etc/selinux/config
#SELINUX=enforcing #注释掉
#SELINUXTYPE=targeted #注释掉
SELINUX=disabled #增加
:wq! #保存退出
setenforce 0 #使配置立即生效
编辑iptables配置文件,将文件内容更改为如下,则具备了ip地址白名单功能
#vim /etc/sysconfig/iptables点击(此处)折叠或打开
- *filter
- :INPUT ACCEPT [0:0]
- :FORWARD ACCEPT [0:0]
- :OUTPUT ACCEPT [0:0]
- -N whitelist
- -A whitelist -s 1.2.3.0/24 -j ACCEPT
- -A whitelist -s 4.5.6.7 -j ACCEPT
- -A INPUT -m state --state RELATED,ESTABLISHED -j whitelist
- -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j whitelist
- -A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j whitelist
- -A INPUT -p icmp -j ACCEPT
- -A INPUT -i lo -j ACCEPT
- -A INPUT -j REJECT --reject-with icmp-host-prohibited
- -A FORWARD -j REJECT --reject-with icmp-host-prohibited
- COMMIT
10~12行 注意的是“-j whitelist”而不是“-j ACCEPT”,前者将该端口访问权限限制在白名单内,后者为不限制
13行 任何ip地址都能ping通该主机,因为 “-j ACCEPT ”没有做相应限制
配置完毕后,运行命令重启防火墙使规则生效
#systemctl restart iptables.service
/etc/sysconfig/iptables 配置文件内容:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-N whitelist
-A whitelist -s 210.12.*.* -j ACCEPT
-A whitelist -s 114.*.*.* -j ACCEPT
-A whitelist -s *.*.*.* -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j whitelist
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT #允许所有人可以访问22端口
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j whitelist # 白名单的用户可以访问80端口
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT