iptables 设置特定IP访问指定端口

一、添加规则：设置禁止所有IP访问指定端口8075

[root@zabbix_server ~]# iptables -I INPUT -p tcp --dport 8075 -j DROP

二、测试telnet 

[root@zabbix_server ~]# telnet 127.0.0.1 8075
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection timed out

三、删除规则：

1、查询规则编号

[root@zabbix_server ~]# iptables --line -nvL INPUT
Chain INPUT (policy DROP 83 packets, 4016 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        8   408 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:8075 
2     144M   15G ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
3     4037  214K ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
4        3   156 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25601 
5     4085  218K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80 
6    22638 1169K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:3306 
7     264K   14M ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:9000 
8     443K   23M ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:10050 
9    76134 4093K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:10051 

可以看到禁止访问8075的规则编号为1

2、删除指定规则编号的规则

[root@zabbix_server ~]# iptables -D INPUT 1

再查询

[root@zabbix_server ~]# iptables --line -nvL INPUT
Chain INPUT (policy DROP 20 packets, 961 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1     144M   15G ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
2     4038  214K ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
3        3   156 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25601 
4     4087  218K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80 
5    22644 1169K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:3306 
6     264K   14M ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:9000 
7     443K   23M ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:10050 
8    76156 4094K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:10051 
9       44  2208 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dp

已经删除了，测试telnet

[root@zabbix_server ~]# telnet 127.0.0.1 8075
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.

四、设置指定IP访问指定端口8075

1、添加规则：禁止所有IP访问8075

[root@zabbix_server ~]# iptables -I INPUT -p tcp --dport 8075 -j DROP
[root@zabbix_server ~]# iptables --line -nvL INPUT
Chain INPUT (policy DROP 3 packets, 156 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:8075 
2     145M   15G ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
3     4038  214K ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
4        3   156 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25601 
5     4090  219K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80 
6    22650 1169K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:3306 
7     264K   14M ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:9000 
8     443K   23M ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:10050 
9    76183 4095K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:10051 
10      44  2208 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:3000 
11       7   284 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:5672 
12       2    80 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dp

2、添加规则：允许127.0.0.1访问8075

[root@zabbix_server ~]# iptables -I INPUT -s 127.0.0.1 -p tcp --dport 8075 -j ACCEPT

3、查询规则：

[root@zabbix_server ~]# iptables --line -nvL INPUT
Chain INPUT (policy DROP 20 packets, 1004 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 ACCEPT     tcp  --  *      *       127.0.0.1            0.0.0.0/0           tcp dpt:8075 
2        0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:8075 
3     145M   15G ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
4     4039  214K ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
5        3   156 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25601 
6     4096  219K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80 
7    22660 1170K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:3306 
8     264K   14M ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:9000 
9     443K   23M ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:10050 

规则已经添加，测试

[root@zabbix_server ~]# telnet 127.0.0.1 8075
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.

本机可以访问8075,其他机器上不能访问8075

[root@localhost etc]# telnet 172.28.18.75 8075
Trying 172.28.18.75...
telnet: connect to address 172.28.18.75: Connection timed out

4、允许172.28.18.71可以访问8075,(172.28.18.71是需要访问8075的服务器)

[root@zabbix_server ~]# iptables -I INPUT -s 172.28.18.71 -p tcp --dport 8075 -j ACCEPT

查看规则

[root@zabbix_server ~]# iptables --line -nvL INPUT
Chain INPUT (policy DROP 9 packets, 456 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 ACCEPT     tcp  --  *      *       172.28.18.71         0.0.0.0/0           tcp dpt:8075 
2        3   132 ACCEPT     tcp  --  *      *       127.0.0.1            0.0.0.0/0           tcp dpt:8075 
3        7   420 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:8075 
4     145M   15G ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
5     4040  214K ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
6        3   156 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25601 
7     4100  219K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80 
8    22674 1171K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:3306 

在172.28.18.71上测试telnet 8075

[root@localhost etc]# telnet 172.28.18.75 8075
Trying 172.28.18.75...
Connected to 172.28.18.75.
Escape character is '^]'.

访问成功，保存规则

[root@zabbix_server ~]# service iptables save
iptables：将防火墙规则保存到 /etc/sysconfig/iptables：[确定]

重启服务

[root@zabbix_server ~]# service iptables save
iptables：将防火墙规则保存到 /etc/sysconfig/iptables：[确定]
[root@zabbix_server ~]# service iptables restart
iptables：将链设置为政策 ACCEPT：filter [确定]
iptables：清除防火墙规则：[确定]
iptables：正在卸载模块：[确定]
iptables：应用防火墙规则：[确定]