请稍侯

iptables设置指定ip访问端口

06 December 2016
更多 
# 禁止所有ip访问 3306 端口
iptables -I INPUT -p tcp --dport 3306 -j DROP 
# 本地可以访问
iptables -I INPUT -s 127.0.0.1 -p tcp --dport 3306 -j ACCEPT
# 本电脑ip可以访问
iptables -I INPUT -s 222.**.1*6.50 -p tcp --dport 3306 -j ACCEPT

完整的一个iptables配置,linux 下配置好后直接 service iptables restart

# Generated by iptables-save v1.4.21 on Wed Dec 21 18:40:56 2016
*nat
:PREROUTING ACCEPT [19:1044]
:INPUT ACCEPT [18:984]
:OUTPUT ACCEPT [64:3859]
:POSTROUTING ACCEPT [64:3859]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 192.168.0.0/20 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 192.168.0.2/32 -d 192.168.0.2/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 192.168.0.2/32 -d 192.168.0.2/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80
COMMIT
# Completed on Wed Dec 21 18:40:56 2016
# Generated by iptables-save v1.4.21 on Wed Dec 21 18:40:56 2016
*filter
:INPUT ACCEPT [774:193963]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [799:130428]
:DOCKER - [0:0]
:DOCKER-ISOLATION - [0:0]

-A INPUT -s 139.199.196.106/32 -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 11211 -j ACCEPT
-A INPUT -s 121.40.222.5/32 -p tcp -m tcp --dport 11211 -j ACCEPT
-A INPUT -s 139.199.196.106/32 -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -s 139.199.196.106/32 -p tcp -m tcp --dport 11211 -j ACCEPT
-A INPUT -s 101.201.104.144/32 -p tcp -m tcp --dport 11211 -j ACCEPT
-A INPUT -s 222.240.156.50/32 -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -s 121.40.222.5/32 -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 1521 -j ACCEPT

# 注意以下两行一定要放在后面 ====== start
-A INPUT -p tcp -m tcp --dport 3306 -j DROP
-A INPUT -p tcp -m tcp --dport 11211 -j DROP
# ==== end

-A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 11211 -j ACCEPT
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER -d 192.168.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER-ISOLATION -j RETURN
COMMIT
# Completed on Wed Dec 21 18:40:56 201