Linux防火墙--iptables--白名单配置

1.服务器22端口和1521端口开通给指定IP

[root@node2 sysconfig]# iptables -t filter -nL INPUT
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 
[root@node2 sysconfig]# iptables -F
[root@node2 sysconfig]# iptables -t filter -nL INPUT
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
[root@node2 sysconfig]# iptables -I INPUT -s 192.168.222.1  -p tcp -m tcp --dport 22 -j ACCEPT
[root@node2 sysconfig]# iptables -t filter -nL INPUT
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  192.168.222.1        0.0.0.0/0           tcp dpt:22 
[root@node2 sysconfig]# iptables -A INPUT -j REJECT
[root@node2 sysconfig]# iptables -I INPUT  -s 192.168.222.1  -p tcp -m tcp --dport 1521 -j ACCEPT
[root@node2 sysconfig]# iptables -t filter -nL INPUT
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  192.168.222.1        0.0.0.0/0           tcp dpt:1521 
ACCEPT     tcp  --  192.168.222.1        0.0.0.0/0           tcp dpt:22 
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable 
[root@node2 sysconfig]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
[root@node2 sysconfig]# service iptables restart
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Unloading modules:                               [  OK  ]
iptables: Applying firewall rules:                         [  OK  ]
[root@node2 sysconfig]# iptables -t filter -nL INPUT
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  192.168.222.1        0.0.0.0/0           tcp dpt:1521 
ACCEPT     tcp  --  192.168.222.1        0.0.0.0/0           tcp dpt:22 
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable 
[root@node2 sysconfig]# iptables -t filter -nL INPUT --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     tcp  --  192.168.222.1        0.0.0.0/0           tcp dpt:1521 
2    ACCEPT     tcp  --  192.168.222.1        0.0.0.0/0           tcp dpt:22 
3    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable 
[root@node2 sysconfig]# iptables -t filter -D INPUT 1
[root@node2 sysconfig]# iptables -t filter -nL INPUT --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     tcp  --  192.168.222.1        0.0.0.0/0           tcp dpt:22 
2    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable 

2.注意：每次最后需要添加

iptables -I INPUT -i lo -j ACCEPT

iptables -I INPUT -m state --state RELATED,ESTABLISHED  -j ACCEPT

3.插入到那一行

先查看当前的行，iptables -nL --line-numbers

插入到指定的行

[root@node2 sysconfig]# iptables -I INPUT 行号 -s 192.168.222.1 -p tcp -m tcp --dport 1521 -j ACCEPT

 4.针对某个端口设置白名单机制

[root@node2 ~]# iptables  -F
[root@node2 ~]# iptables -I INPUT -p tcp --dport 1521 -j DROP
[root@node2 ~]# 
[root@node2 ~]# telnet 192.168.222.11 1521
Trying 192.168.222.11...
^C
[root@node2 ~]# iptables -I INPUT -s 192.168.222.11 -p tcp --dport 1521 -j ACCEPT
[root@node2 ~]# telnet 192.168.222.11 1521
Trying 192.168.222.11...
Connected to 192.168.222.11.
Escape character is '^]'.