cat > /etc/sysconfig/iptables << 'EOF' # sample configuration for iptables service # you can edit this manually or use system-config-firewall # please do not ask us to add additional ports/services to this default configuration *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :BASE-RULE - [0:0] -A INPUT -p icmp -j ACCEPT # 防止本机访问外部的回包被 drop 掉 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp --dport 22 -j ACCEPT -A INPUT -p tcp --dport 2222 -j ACCEPT -A INPUT -j BASE-RULE -A BASE-RULE -i ens160 -m set ! --match-set whiteiplist src -j DROP -A BASE-RULE -j RETURN COMMIT EOF
$ netfilter-persistent save run-parts: executing /usr/share/netfilter-persistent/plugins.d/10-ipset save run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables save run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables save run-parts: executing /usr/share/netfilter-persistent/plugins.d/40-ipset save
添加白名单规则:
注意下面链的默认规则和接口,自行更改成实际情况
1 2 3 4 5 6 7 8 9 10 11 12 13
cat > /etc/iptables/rules.v4 << 'EOF' *filter :INPUT ACCEPT [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :BASE-RULE - [0:0] -A INPUT -p icmp -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -j BASE-RULE -A BASE-RULE -i vmbr0 -m set ! --match-set whiteiplist src -j DROP -A BASE-RULE -j RETURN COMMIT EOF