1. Temporary whitelist is added, it will take effect immediately after execution, and it will become invalid after restarting the firewall
View firewall status:
service iptables status
View the whitelist list:
sudo iptables -nL
Add whitelist:
sudo iptables -I INPUT -m state --state NEW -m tcp -p tcp -s 10.32.123.1 --dport 3306 -j ACCEPT
sudo:用于普通用户提权为管理员,一般可不添加
-I:添加规则的参数
INPUT:表示外部主机访问内部资源
-m state --state :连接状态,包括(NEW|ESTABLISHED|RELATED|INVALID)
NEW:3次握手的第一次,一次新的请求
ESTABLISHED:二次握手以后,连接断开之前的连接
RELATED:相关连的状态,可解决控制ftp连接等复杂的协议
INVALID:无法识别的状态
-p: 用于匹配协议(通常有3种,TCP/UDP/ICMP)
-s:指定源地址,须填写IP,不能填主机名称
--dport: 用于匹配目标端口号
-j: 用于匹配处理方式:
ACCEPT:允许数据包通过
DROP:直接丢弃数据包,不给出任何回应信息
View the whitelist addition results:
[root@host001 ~]# sudo iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 10.32.123.1 0.0.0.0/0 state NEW tcp dpt:3306
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
2. Permanent Firewall
Add whitelist:
firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address="10.32.123.1" port port=3306 protocol=tcp accept' --permanent
Remove whitelist:
firewall-cmd --zone=public --remove-rich-rule 'rule family="ipv4" source address="10.32.123.1" port port=3306 protocol=tcp reject' --permanent
Take effect after restarting the firewall:
firewall-cmd --reload