1.服务器22端口和1521端口开通给指定IP
[root@node2 sysconfig]# iptables -t filter -nL INPUT Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited [root@node2 sysconfig]# iptables -F [root@node2 sysconfig]# iptables -t filter -nL INPUT Chain INPUT (policy ACCEPT) target prot opt source destination [root@node2 sysconfig]# iptables -I INPUT -s 192.168.222.1 -p tcp -m tcp --dport 22 -j ACCEPT [root@node2 sysconfig]# iptables -t filter -nL INPUT Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 192.168.222.1 0.0.0.0/0 tcp dpt:22 [root@node2 sysconfig]# iptables -A INPUT -j REJECT [root@node2 sysconfig]# iptables -I INPUT -s 192.168.222.1 -p tcp -m tcp --dport 1521 -j ACCEPT [root@node2 sysconfig]# iptables -t filter -nL INPUT Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 192.168.222.1 0.0.0.0/0 tcp dpt:1521 ACCEPT tcp -- 192.168.222.1 0.0.0.0/0 tcp dpt:22 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable [root@node2 sysconfig]# service iptables save iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ] [root@node2 sysconfig]# service iptables restart iptables: Setting chains to policy ACCEPT: filter [ OK ] iptables: Flushing firewall rules: [ OK ] iptables: Unloading modules: [ OK ] iptables: Applying firewall rules: [ OK ] [root@node2 sysconfig]# iptables -t filter -nL INPUT Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 192.168.222.1 0.0.0.0/0 tcp dpt:1521 ACCEPT tcp -- 192.168.222.1 0.0.0.0/0 tcp dpt:22 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable [root@node2 sysconfig]# iptables -t filter -nL INPUT --line-numbers Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT tcp -- 192.168.222.1 0.0.0.0/0 tcp dpt:1521 2 ACCEPT tcp -- 192.168.222.1 0.0.0.0/0 tcp dpt:22 3 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable [root@node2 sysconfig]# iptables -t filter -D INPUT 1 [root@node2 sysconfig]# iptables -t filter -nL INPUT --line-numbers Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT tcp -- 192.168.222.1 0.0.0.0/0 tcp dpt:22 2 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
2.注意:每次最后需要添加
iptables -I INPUT -i lo -j ACCEPT
iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
3.插入到那一行
先查看当前的行,iptables -nL --line-numbers
插入到指定的行
[root@node2 sysconfig]# iptables -I INPUT 行号 -s 192.168.222.1 -p tcp -m tcp --dport 1521 -j ACCEPT
4.针对某个端口设置白名单机制
[root@node2 ~]# iptables -F [root@node2 ~]# iptables -I INPUT -p tcp --dport 1521 -j DROP [root@node2 ~]# [root@node2 ~]# telnet 192.168.222.11 1521 Trying 192.168.222.11... ^C [root@node2 ~]# iptables -I INPUT -s 192.168.222.11 -p tcp --dport 1521 -j ACCEPT [root@node2 ~]# telnet 192.168.222.11 1521 Trying 192.168.222.11... Connected to 192.168.222.11. Escape character is '^]'.