centOS7 USES iptables to configure the IP address whitelist method
- 2020-05-13 04:23:28
- OfStack
Edit the iptables configuration file, change the file content to the following, and you have the ip address whitelist function
#vim /etc/sysconfig/iptables
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-N whitelist
-A whitelist -s 1.2.3.0/24 -j ACCEPT
-A whitelist -s 4.5.6.7 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j whitelist
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j whitelist
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j whitelist
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
Lines 6 to 8 are the whitelist list, which can be an ip segment or a single ip address
Lines 10-12 note "-j whitelist" instead of "-j ACCEPT", which limits access to the port to the whitelist, and "-j ACCEPT", which is unrestricted
Any ip address in line 13 will allow ping access to the host because "-j ACCEPT" is not restricted
When configured, run the command to restart the firewall for the rules to take effect
#systemctl restart iptables.service