iptables策略调整
一.背景概述数据库服务器为双节点linux HA架构,当前需要对数据库VIP地址的1521端口进行访问控制。
注意:进行任何操作前,建议进行系统层的备份,强烈建议在测试环境中操作成功后再进行生产环境的操作。
二.涉及设备
本次操作涉及数据库服务器IP为,数据库监听IP为,根据实际环境只对监听的VIP进行操作。
三.影响范围
本次操作涉及到HA架构上的两台数据库服务器的22端口,添加到permit列表的IP地址可以继续访问系统的22端口,其他IP地址无法访问1521端口。
四.操作方案
1.先查看现有的规则
iptables -L -n --line-number
2.查看当前规则表并备份
iptables-save > /tmp/iptables.txt
3.添加白名单
vi /etc/sysconfig/iptables
-N whitelist
-A whitelist -s 192.168.100.10 -j ACCEPT
-A whitelist -s 192.168.100.11 -j ACCEPT
-A whitelist -s 192.168.100.100 -j ACCEPT
-A whitelist -s 192.168.100.101 -j ACCEPT
-A whitelist -s 192.168.100.102 -j ACCEPT
-A whitelist -s 192.168.100.103 -j ACCEPT
-A whitelist -s 192.168.100.104 -j ACCEPT
-A whitelist -s 192.168.100.105 -j ACCEPT
-A whitelist -s 192.168.100.106 -j ACCEPT
-A whitelist -s 192.168.100.20 -j ACCEPT
-A whitelist -s 192.168.100.121 -j ACCEPT
-A whitelist -s 192.168.100.41 -j ACCEPT
-A whitelist -s 192.168.1000.30 -j ACCEPT
-A whitelist -s 192.168.100.124 -j ACCEPT
-A whitelist -s 192.168.100.13 -j ACCEPT
-A whitelist -s 192.168.100.15 -j ACCEPT
-A whitelist -s 192.168.100.12 -j ACCEPT
-A whitelist -s 192.168.100.14 -j ACCEPT
-A whitelist -s 192.168.100.24 -j ACCEPT
-A whitelist -s 192.168.100.25 -j ACCEPT
-A whitelist -s 192.168.100.40 -j ACCEPT
-A whitelist -s 192.168.100.122 -j ACCEPT
-A whitelist -s 192.168.100.16 -j ACCEPT
-A whitelist -s 192.168.100.120 -j ACCEPT
-A whitelist -s 192.168.100.42 -j ACCEPT
-A whitelist -s 192.168.100.43 -j ACCEPT
-A whitelist -s 192.168.100.17 -j ACCEPT
-A whitelist -s 192.168.100.44 -j ACCEPT
-A whitelist -s 192.168.100.45 -j ACCEPT
-A whitelist -s 192.168.100.18 -j ACCEPT
-A whitelist -s 192.168.100.92 -j ACCEPT
-A whitelist -s 192.168.100.93 -j ACCEPT
-A whitelist -s 192.168.100.94 -j ACCEPT
-A whitelist -s 192.168.100.95 -j ACCEPT
-A whitelist -s 192.168.100.96 -j ACCEPT
-A whitelist -s 192.168.100.97 -j ACCEPT
-A whitelist -s 192.168.100.98 -j ACCEPT
-A whitelist -s 192.168.100.46 -j ACCEPT
-A whitelist -s 192.168.100.47 -j ACCEPT
-A whitelist -s 192.168.100.48 -j ACCEPT
-A whitelist -s 192.168.100.56 -j ACCEPT
-A whitelist -s 192.168.100.57 -j ACCEPT
-A whitelist -s 192.168.100.58 -j ACCEPT
-A whitelist -s 192.168.100.50 -j ACCEPT
-A whitelist -s 192.168.100.26 -j ACCEPT
-A whitelist -s 192.168.100.27 -j ACCEPT
-A whitelist -s 136.142.36.66 -j ACCEPT
-A whitelist -s 136.142.36.67 -j ACCEPT
-A whitelist -s 136.142.36.100 -j ACCEPT
-A whitelist -s 136.142.36.101 -j ACCEPT
-A whitelist -s 136.142.36.102 -j ACCEPT
-A whitelist -s 136.142.36.103 -j ACCEPT
-A whitelist -s 136.142.36.104 -j ACCEPT
-A whitelist -s 136.142.36.105 -j ACCEPT
-A whitelist -s 136.142.36.106 -j ACCEPT
-A whitelist -s 136.142.36.107 -j ACCEPT
-A whitelist -s 136.142.36.82 -j ACCEPT
-A whitelist -s 136.142.36.96 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j whitelist
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 1521 -j whitelist -A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
4.保存并启用设置
service iptables restart
5.验证规则
选择permit之外的IP地址telnet数据库VIP的22端口,如果访问失败则表示IP tables规则配置正确。
验证完毕后,备份新规则表。
四.回退方案
如果操作期间需要回退,回复之前备份的规则表。
cp /tmp/iptables.txt /etc/sysconfig/iptables
页:
[1]