Of Stack

centOS7 USES iptables to configure the IP address whitelist method

  • 2020-05-13 04:23:28
  • OfStack

Edit the iptables configuration file, change the file content to the following, and you have the ip address whitelist function
#vim /etc/sysconfig/iptables 


*filter 
:INPUT ACCEPT [0:0] 
:FORWARD ACCEPT [0:0] 
:OUTPUT ACCEPT [0:0] 

-N whitelist 
-A whitelist -s 1.2.3.0/24 -j ACCEPT 
-A whitelist -s 4.5.6.7 -j ACCEPT 

-A INPUT -m state --state RELATED,ESTABLISHED -j whitelist 
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j whitelist 
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j whitelist 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -j REJECT --reject-with icmp-host-prohibited 
-A FORWARD -j REJECT --reject-with icmp-host-prohibited 
COMMIT

Lines 6 to 8 are the whitelist list, which can be an ip segment or a single ip address

Lines 10-12 note "-j whitelist" instead of "-j ACCEPT", which limits access to the port to the whitelist, and "-j ACCEPT", which is unrestricted

Any ip address in line 13 will allow ping access to the host because "-j ACCEPT" is not restricted

When configured, run the command to restart the firewall for the rules to take effect

#systemctl restart iptables.service

Related articles: