iptables 設置指定IP客戶端訪問服務器redis端口

1、需求描述

服務器172.28.18.75開放了6379redis端口,因爲沒有設置登陸密碼,因此須要防火牆設置只能指定的IP地址172.28.5.125客戶端訪問redis端口redis

2、查看172.28.18.75的防火牆規則

[root@zabbix_server ~]# iptables -nvL
Chain INPUT (policy DROP 2 packets, 104 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 230K   23M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    9   708 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25601 
   14  8190 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80 
   32  1681 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:3306 
  516 26832 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:9000 
  734 38168 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:10050 
  126  6776 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:10051 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:3000 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:5672 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:15672 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25672 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:4369 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:2222 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:8078 
   29  1508 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:8080 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:8081 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:5000 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:8080 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:8078 
   53  3122 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:8079 
    3   164 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:8075 

Chain INPUT (policy DROP 2 packets, 104 bytes)默認規則是禁止,那麼只須要添加容許訪問IP的規則便可服務器


3、添加規則:指定127.0.0.1的IP能夠訪問redis6379

[root@zabbix_server ~]# iptables -A INPUT -s 127.0.0.1 -p tcp --dport 6379 -j ACCEPT

在172.28.18.75上測試tcp

[root@zabbix_server ~]# redis-cli 
127.0.0.1:6379> get keys
(nil)

4、添加規則:指定172.28.5.125P能夠訪問172.28.18.75的redis6379

[root@zabbix_server ~]# iptables -A INPUT -s 172.28.5.125 -p tcp --dport 6379 -j ACCEPT

查看規則測試

[root@zabbix_server ~]# iptables -nvL
Chain INPUT (policy DROP 10 packets, 496 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 466K   46M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    9   708 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25601 
   24  8710 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80 
   62  3241 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:3306 
 1054 54808 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:9000 
 1486 77272 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:10050 
  254 13656 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:10051 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:3000 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:5672 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:15672 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25672 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:4369 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:2222 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:8078 
   59  3068 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:8080 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:8081 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:5000 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:8080 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:8078 
  104  5774 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:8079 
    3   164 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:8075 
    2   104 ACCEPT     tcp  --  *      *       127.0.0.1            0.0.0.0/0           tcp dpt:6379 
    0     0 ACCEPT     tcp  --  *      *       172.28.5.125         0.0.0.0/0           tcp dpt:6379 

在172.28.5.125上測試spa

[root@redis-03 ~]# redis-cli -h 172.28.18.75
172.28.18.75:6379> get keys
(nil)

訪問成功rest

5、添加規則:指定IP地址段172.28.146.1-172.28.146.252能夠訪問redis6379

[root@zabbix_server ~]# iptables -A INPUT -s 172.28.146.1/252 -p tcp --dport 6379 -j ACCEPT

6、保存規則

[root@zabbix_server ~]# service iptables save 
iptables:將防火牆規則保存到 /etc/sysconfig/iptables:[肯定]

7、重啓服務

[root@zabbix_server ~]# service iptables restart
iptables:將鏈設置爲政策 ACCEPT:filter [肯定]
iptables:清除防火牆規則:[肯定]
iptables:正在卸載模塊:[肯定]
iptables:應用防火牆規則:[肯定]
相關文章
相關標籤/搜索