我设置了 80 和 443 端口只运行白名单 IP 访问,但是发现没有用,实际上任何 IP 都能访问。然后我又测试删除 80 端口的 INPUT 规则,之后依然能访问。明明有 -A INPUT -j DROP
。但是 Ben IP 又正常生效 -A INPUT -s 120.26.72.89/32 -j DROP
。
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-N whitelist
-A whitelist -s 103.21.244.0/22 -j ACCEPT
-A whitelist -s 103.22.200.0/22 -j ACCEPT
-A whitelist -s 103.31.4.0/22 -j ACCEPT
-A whitelist -s 104.16.0.0/12 -j ACCEPT
-A whitelist -s 108.162.192.0/18 -j ACCEPT
-A whitelist -s 131.0.72.0/22 -j ACCEPT
-A whitelist -s 141.101.64.0/18 -j ACCEPT
-A whitelist -s 162.158.0.0/15 -j ACCEPT
-A whitelist -s 172.64.0.0/13 -j ACCEPT
-A whitelist -s 173.245.48.0/20 -j ACCEPT
-A whitelist -s 188.114.96.0/20 -j ACCEPT
-A whitelist -s 190.93.240.0/20 -j ACCEPT
-A whitelist -s 197.234.240.0/22 -j ACCEPT
-A whitelist -s 198.41.128.0/17 -j ACCEPT
-A whitelist -s 199.27.128.0/21 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j whitelist
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j whitelist
-A INPUT -j DROP
-A FORWARD -j DROP
-A OUTPUT -j ACCEPT
Don’t talk about self-built links, let’s talk about normal settings. Why not talk about self-built links? Because I am killing Big Teemo with my roommate (I don’t play games, but killing Big Teemo is really fun), I edited the answer on my mobile phone...
Environment:
In fact, it is very simple to allow port 80. If iptables opens the service, the most troublesome thing may be to allow FTP in passive mode
Then it is released. Of course, there can be no prohibition rules before matching! The same is true for self-built chains.
Of course, you may need to DROP the entire firewall and then ACCEPT.