一、添加规则:设置禁止所有IP访问指定端口8075
[root@zabbix_server ~]# iptables -I INPUT -p tcp --dport 8075 -j DROP
二、测试telnet
[root@zabbix_server ~]# telnet 127.0.0.1 8075 Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection timed out
三、删除规则:
1、查询规则编号
[root@zabbix_server ~]# iptables --line -nvL INPUT Chain INPUT (policy DROP 83 packets, 4016 bytes) num pkts bytes target prot opt in out source destination 1 8 408 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8075 2 144M 15G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 3 4037 214K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 4 3 156 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25601 5 4085 218K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 6 22638 1169K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3306 7 264K 14M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:9000 8 443K 23M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10050 9 76134 4093K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10051
可以看到禁止访问8075的规则编号为1
2、删除指定规则编号的规则
[root@zabbix_server ~]# iptables -D INPUT 1
再查询
[root@zabbix_server ~]# iptables --line -nvL INPUT Chain INPUT (policy DROP 20 packets, 961 bytes) num pkts bytes target prot opt in out source destination 1 144M 15G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 4038 214K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 3 3 156 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25601 4 4087 218K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 5 22644 1169K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3306 6 264K 14M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:9000 7 443K 23M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10050 8 76156 4094K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10051 9 44 2208 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dp
已经删除了,测试telnet
[root@zabbix_server ~]# telnet 127.0.0.1 8075 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'.
四、设置指定IP访问指定端口8075
1、添加规则:禁止所有IP访问8075
[root@zabbix_server ~]# iptables -I INPUT -p tcp --dport 8075 -j DROP [root@zabbix_server ~]# iptables --line -nvL INPUT Chain INPUT (policy DROP 3 packets, 156 bytes) num pkts bytes target prot opt in out source destination 1 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8075 2 145M 15G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 3 4038 214K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 4 3 156 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25601 5 4090 219K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 6 22650 1169K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3306 7 264K 14M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:9000 8 443K 23M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10050 9 76183 4095K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10051 10 44 2208 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3000 11 7 284 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:5672 12 2 80 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dp
2、添加规则:允许127.0.0.1访问8075
[root@zabbix_server ~]# iptables -I INPUT -s 127.0.0.1 -p tcp --dport 8075 -j ACCEPT
3、查询规则:
[root@zabbix_server ~]# iptables --line -nvL INPUT Chain INPUT (policy DROP 20 packets, 1004 bytes) num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT tcp -- * * 127.0.0.1 0.0.0.0/0 tcp dpt:8075 2 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8075 3 145M 15G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 4 4039 214K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 5 3 156 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25601 6 4096 219K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 7 22660 1170K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3306 8 264K 14M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:9000 9 443K 23M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10050
规则已经添加,测试
[root@zabbix_server ~]# telnet 127.0.0.1 8075 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'.
本机可以访问8075,其他机器上不能访问8075
[root@localhost etc]# telnet 172.28.18.75 8075
Trying 172.28.18.75...
telnet: connect to address 172.28.18.75: Connection timed out
4、允许172.28.18.71可以访问8075,(172.28.18.71是需要访问8075的服务器)
[root@zabbix_server ~]# iptables -I INPUT -s 172.28.18.71 -p tcp --dport 8075 -j ACCEPT
查看规则
[root@zabbix_server ~]# iptables --line -nvL INPUT Chain INPUT (policy DROP 9 packets, 456 bytes) num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT tcp -- * * 172.28.18.71 0.0.0.0/0 tcp dpt:8075 2 3 132 ACCEPT tcp -- * * 127.0.0.1 0.0.0.0/0 tcp dpt:8075 3 7 420 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8075 4 145M 15G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 5 4040 214K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 6 3 156 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25601 7 4100 219K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 8 22674 1171K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3306
在172.28.18.71上测试telnet 8075
[root@localhost etc]# telnet 172.28.18.75 8075 Trying 172.28.18.75... Connected to 172.28.18.75. Escape character is '^]'.
访问成功,保存规则
[root@zabbix_server ~]# service iptables save
iptables:将防火墙规则保存到 /etc/sysconfig/iptables:[确定]
重启服务
[root@zabbix_server ~]# service iptables save iptables:将防火墙规则保存到 /etc/sysconfig/iptables:[确定] [root@zabbix_server ~]# service iptables restart iptables:将链设置为政策 ACCEPT:filter [确定] iptables:清除防火墙规则:[确定] iptables:正在卸载模块:[确定] iptables:应用防火墙规则:[确定]
