CentOS 7默認一般為firewall防火牆,分享一下如何改成iptables防火牆:
1.關閉防火牆:sudo systemctl stop firewalld.service
systemctl start firewalld.service #啟動firewall
systemctl stop firewalld.service #停止firewall(選這個停止命令)
systemctl disable firewalld.service #禁止firewall開機啟動
2. 關閉開機啟動:sudo systemctl disable firewalld.service
3.安裝iptables防火牆命令:sudo yum install iptables-services
4.配置iptables防火牆 打開指定端口 (可自己網上收集)
5. 設置iptables防火牆開機啟動命令:sudo systemctl enable iptables
6 修改防火牆配置文件 進入服務器 /etc/sysconfig/iptables 編輯 iptables 文件(先備份此文件,不行可以還原
6.1編輯iptables配置文件,將文件內容更改為如下,則具備了ip地址白名單功能
#vim /etc/sysconfig/iptables
les
代碼如下
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-N whitelist
-A whitelist -s 1.2.3.4/24 -j ACCEPT
-A whitelist -s 2.3.4.5 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
6~8 行是添加白名單列表,可以是ip段或者單個ip地址
10~12行 注意的是“-j whitelist”而不是“-j ACCEPT”,前者將該端口訪問權限限制在白名單內,後者為不限制
13行 任何ip地址都能ping通該主機,因為“-j ACCEPT”沒有做相應限制
配置完畢後,運行命令重啟防火牆使規則生效
#systemctl restart iptables.service
因我服務器用了360網站衛士CDN雲防護和百度雲CDN網站,找到對應放行的IP段如下(可按自己實際需求設置)
代碼如下
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-N whitelist
-A whitelist -s 36.27.212.0/255 -j ACCEPT
-A whitelist -s 123.129.232.0/255 -j ACCEPT
-A whitelist -s 119.188.9.0/24 -j ACCEPT
-A whitelist -s 42.236.93.0/24 -j ACCEPT
-A whitelist -s 220.170.185.0/24 -j ACCEPT
-A whitelist -s 115.231.186.0/25 -j ACCEPT
-A whitelist -s 183.232.51.0/24 -j ACCEPT
-A whitelist -s 61.182.137.0/25 -j ACCEPT
-A whitelist -s 112.25.90.0/24 -j ACCEPT
-A whitelist -s 59.51.81.128/191 -j ACCEPT
-A whitelist -s 222.216.190.0/24 -j ACCEPT
-A whitelist -s 122.190.2.0/24 -j ACCEPT
-A whitelist -s 125.39.239.0/24 -j ACCEPT
-A whitelist -s 183.61.177.0/24 -j ACCEPT
-A whitelist -s 183.61.236.0/24 -j ACCEPT
-A whitelist -s 124.95.168.128/191 -j ACCEPT
-A whitelist -s 124.95.191.0/24 -j ACCEPT
-A whitelist -s 58.211.2.0/24 -j ACCEPT
-A whitelist -s 117.34.13.0/24 -j ACCEPT
-A whitelist -s 150.138.150.0/24 -j ACCEPT
-A whitelist -s 150.138.149.128/25 -j ACCEPT
-A whitelist -s 157.255.25.0/24 -j ACCEPT
-A whitelist -s 113.207.101.0/25 -j ACCEPT
-A whitelist -s 111.32.135.0/25 -j ACCEPT
-A whitelist -s 42.81.6.0/25 -j ACCEPT
-A whitelist -s 115.231.187.148 -j ACCEPT
-A whitelist -s 58.211.137.148 -j ACCEPT
-A whitelist -s 117.34.14.148 -j ACCEPT
-A whitelist -s 125.39.174.148 -j ACCEPT
-A whitelist -s 42.236.94.148 -j ACCEPT
-A whitelist -s 113.207.102.148 -j ACCEPT
-A whitelist -s 122.190.3.148 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 20 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 1521 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 465 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
閱讀更多 世界文庫中心 的文章
