• iptables 顺序

    -A INPUT -s 115.236.6.6/32 -p udp -m udp --dport 111 -j ACCEPT
-A INPUT -s 10.175.197.98/32 -p udp -m udp --dport 111 -j ACCEPT
-A INPUT -s 10.171.254.221/32 -p udp -m udp --dport 111 -j ACCEPT
-A INPUT -p udp -m udp --dport 111 -j DROP

-A INPUT -s 10.175.197.98/32 -p udp -m udp --dport 111 -j ACCEPT
-A INPUT -s 115.236.6.6/32 -p tcp -m tcp --dport 111 -j ACCEPT
-A INPUT -s 10.171.254.221/32 -p tcp -m tcp --dport 111 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 111 -j DROP

-A INPUT -s 115.236.6.6/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j DROP
-A INPUT -s 121.42.0.15/32 -j DROP

   Insert one or more rules in the selected chain as the given rule number.  So, if the rule number is 1, 
   
   the rule or rules are inserted at the head of the chain.  This is also the default if
   no rule number is specified.
		
插入chain 规则说明;

插入一个或者多个规则在选择的chain 作为给定的规则number

因此 如果规则number 是1, rule和rules 是被插入到chain的头部,这也是默认的如果没有规则number 被指定
[root@nfs01 ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Tue Sep 20 11:03:42 2016
*filter
:INPUT ACCEPT [1032:58291]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1452:2612203]
COMMIT
# Completed on Tue Sep 20 11:03:42 2016

		
	切换到root用户  
1、在tcp协议中,禁止所有的ip访问本机的22端口。  
iptables -I INPUT -p tcp --dport 22 -j DROP  
  
iptables -I INPUT -s 115.236.6.6 -p tcp --dport 22 -j ACCEPT 

iptables -I INPUT -p tcp --dport 111 -j DROP 		  
iptables -I INPUT -s 115.236.6.6 -p tcp --dport 111 -j ACCEPT 
iptables -I INPUT -s 10.175.197.98 -p tcp --dport 111 -j ACCEPT
iptables -I INPUT -s 10.171.254.221 -p tcp --dport 111 -j ACCEPT	

iptables -I INPUT -p udp --dport 111 -j DROP 		  
iptables -I INPUT -s 115.236.6.6 -p udp --dport 111 -j ACCEPT 
iptables -I INPUT -s 10.175.197.98 -p udp --dport 111 -j ACCEPT
iptables -I INPUT -s 10.171.254.221 -p udp --dport 111 -j ACCEPT
		

# service iptables save  
3.重启防火墙  
#service iptables restart 		


api01:/nfs01/zjprd/contract> telnet 10.171.250.68 111
Trying 10.171.250.68...
Connected to 10.171.250.68.
Escape character is '^]'.


[root@nfs01 ~]# cat a1.sh
iptables -I INPUT -p tcp --dport 22 -j DROP  
iptables -I INPUT -s 115.236.160.82 -p tcp --dport 22 -j ACCEPT 
iptables -I INPUT -p tcp --dport 111 -j DROP 		  
iptables -I INPUT -s 115.236.160.82 -p tcp --dport 111 -j ACCEPT 
iptables -I INPUT -s 10.175.197.98 -p tcp --dport 111 -j ACCEPT
iptables -I INPUT -s 10.171.254.221 -p tcp --dport 111 -j ACCEPT	
iptables -I INPUT -p udp --dport 111 -j DROP 		  
iptables -I INPUT -s 115.236.160.82 -p udp --dport 111 -j ACCEPT 
iptables -I INPUT -s 10.175.197.98 -p udp --dport 111 -j ACCEPT
iptables -I INPUT -s 10.171.254.221 -p udp --dport 111 -j ACCEPT


[root@nfs01 ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Tue Sep 20 11:18:45 2016
*filter
:INPUT ACCEPT [100:5792]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [104:8990]
-A INPUT -s 10.171.254.221/32 -p udp -m udp --dport 111 -j ACCEPT 
-A INPUT -s 10.175.197.98/32 -p udp -m udp --dport 111 -j ACCEPT 
-A INPUT -s 115.236.6.6/32 -p udp -m udp --dport 111 -j ACCEPT 
-A INPUT -p udp -m udp --dport 111 -j DROP 
-A INPUT -s 10.171.254.221/32 -p tcp -m tcp --dport 111 -j ACCEPT 
-A INPUT -s 10.175.197.98/32 -p tcp -m tcp --dport 111 -j ACCEPT 
-A INPUT -s 115.236.6.6/32 -p tcp -m tcp --dport 111 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 111 -j DROP 
-A INPUT -s 115.236.6.6/32 -p tcp -m tcp --dport 22 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 22 -j DROP 
COMMIT
# Completed on Tue Sep 20 11:18:45 2016


正常顺序是先允许 ,后拒绝所有
  • 相关阅读:
    测试开发工资为什么这么高?
    测试开发工程师技能图谱 V1.0 版 | 福利
    完成这 10+ 企业级项目实战,你也能进阶中高级测试开发
    我们准备了50000现金,给爱学习的你!手慢无~
    Git实战(四)| Git分支管理实操,搞定在线合并和本地合并
    公开课|互联网测试技术体系详解&职业发展规划
    测试面试 | 某互联网大厂测试面试真题,你能回答出多少?
    2020 中秋国庆,阖家快乐!
    测试面试 | 某BAT大厂测试开发面试真题与重点解析
    jsp_1
  • 原文地址:https://www.cnblogs.com/hzcya1995/p/13350239.html
Copyright © 2020-2023  润新知