编辑/etc/sysconfig/iptables,添加
-A INPUT -m state --state NEW -m tcp -p tcp -s 127.0.0.1 --dport 6379 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp -s 126.212.173.185 --dport 6379 -j ACCEPT
以上加红地方就是只对本机和126.212.173.185开放6379端口,其他ip用telnet是无法连接的,
如果访问ip没有限制,就不需要添加-s ip地址了,例如
-A INPUT -m state --state NEW -m tcp -p tcp --dport 6379 -j ACCEPT
对了,一定要在最后添加
-A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
否则,防火墙是不会起作用的。
重新启动防火墙
service iptables start
新的防火墙规则就配好了
附:完整的防火墙配置
# Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 20 -j ACCEPT #mysql -A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT #web server -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT #redis -A INPUT -m state --state NEW -m tcp -p tcp -s 127.0.0.1 --dport 6379 -j ACCEPT-A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT