1 iptables设置防火墙白名单

1.1 检查是否安装iptables

(base) root@master:~# whereis iptables  #查看系统是否安装防火墙
iptables: /sbin/iptables /usr/share/iptables /usr/share/man/man8/iptables.8.gz

(base) root@master:~# apt-get install iptables #若未安装 执行安装命令

(base) root@master:~# iptables -L  #查看防火墙信息
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy DROP)
target     prot opt source               destination         
    

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination      

1.2 添加iptables规则

(base) root@master:~# vi /etc/iptables.rules

# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

#这里开始增加白名单服务器ip(请删除当前服务器的ip地址)
-N whitelist
#-A whitelist -s xx.xx.xx.xx -j ACCEPT    #设置本地IP后不能ssh登陆 因此注销
#-A whitelist -s xx.xx.xx.xx -j ACCEPT
-A whitelist -s xx.xx.xx.xx -j ACCEPT
#这里结束白名单服务器ip

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 2181 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 9092 -j ACCEPT

//下面这些 whitelist 端口号，仅限服务器之间通过内网访问
#这里添加为白名单ip开放的端口

#-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j whitelist
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j whitelist
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j whitelist
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j whitelist
-A INPUT -p tcp -m state --state NEW -m tcp --dport 2181 -j whitelist
-A INPUT -p tcp -m state --state NEW -m tcp --dport 9092 -j whitelist

#作用是每秒钟只允许 100 个数据包，用来防止 DDoS 攻击
-A INPUT -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT
-A INPUT -p icmp -m limit --limit 100/sec --limit-burst 100 -j ACCEPT

#这结束为白名单ip开放的端口
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

1.3 使防火墙规则生效

(base) root@master:~# iptables-restore < /etc/iptables.rules

1.4 添加iptables

创建 /etc/network/if-post-down.d/iptables 文件，并添加如下内容：

(base) root@master:~# vi /etc/network/if-pre-up.d/iptables

iptables文件内容如下：

#!/bin/bash
iptables-restore < /etc/iptables.rules

添加执行权限

(base) root@master:/etc/network/if-pre-up.d# chmod +x /etc/network/if-pre-up.d/iptables

1.5 查看iptables规则是否生效

(base) root@master:~# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:3306
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:2181
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:9092
whitelist  tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
whitelist  tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:80
whitelist  tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:443
whitelist  tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:3306
whitelist  tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:2181
whitelist  tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:9092
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            limit: avg 1/sec burst 10
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            limit: avg 100/sec burst 100
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain whitelist (6 references)
target     prot opt source               destination         
ACCEPT     all  --  xx.xx.xx.xx       0.0.0.0/0           
ACCEPT     all  --  xx.xx.xx.xx        0.0.0.0/0   

如果再次修改，则执行以下命令

vi /etc/iptables.rules  #修改规则
iptables-restore < /etc/iptables.rules #使修改后的规则生效
iptables -L -n  #查看规则是否生效

2 'ufw'设置防火墙白名单