iptables策略调整

admin · 发表于 2020-1-10 18:42:34

一．背景概述
数据库服务器为双节点linux HA架构，当前需要对数据库VIP地址的1521端口进行访问控制。

注意：进行任何操作前，建议进行系统层的备份，强烈建议在测试环境中操作成功后再进行生产环境的操作。

二．涉及设备
本次操作涉及数据库服务器IP为，数据库监听IP为，根据实际环境只对监听的VIP进行操作。

三．影响范围
本次操作涉及到HA架构上的两台数据库服务器的22端口，添加到permit列表的IP地址可以继续访问系统的22端口，其他IP地址无法访问1521端口。

四．操作方案
1.先查看现有的规则

iptables -L -n --line-number
2.查看当前规则表并备份
iptables-save > /tmp/iptables.txt
3.添加白名单
vi /etc/sysconfig/iptables
-N whitelist
-A whitelist -s 192.168.100.10 -j ACCEPT
-A whitelist -s 192.168.100.11 -j ACCEPT
-A whitelist -s 192.168.100.100 -j ACCEPT
-A whitelist -s 192.168.100.101 -j ACCEPT
-A whitelist -s 192.168.100.102 -j ACCEPT
-A whitelist -s 192.168.100.103 -j ACCEPT
-A whitelist -s 192.168.100.104 -j ACCEPT
-A whitelist -s 192.168.100.105 -j ACCEPT
-A whitelist -s 192.168.100.106 -j ACCEPT
-A whitelist -s 192.168.100.20 -j ACCEPT
-A whitelist -s 192.168.100.121 -j ACCEPT
-A whitelist -s 192.168.100.41 -j ACCEPT
-A whitelist -s 192.168.1000.30 -j ACCEPT
-A whitelist -s 192.168.100.124 -j ACCEPT
-A whitelist -s 192.168.100.13 -j ACCEPT
-A whitelist -s 192.168.100.15 -j ACCEPT
-A whitelist -s 192.168.100.12 -j ACCEPT
-A whitelist -s 192.168.100.14 -j ACCEPT
-A whitelist -s 192.168.100.24 -j ACCEPT
-A whitelist -s 192.168.100.25 -j ACCEPT
-A whitelist -s 192.168.100.40 -j ACCEPT
-A whitelist -s 192.168.100.122 -j ACCEPT
-A whitelist -s 192.168.100.16 -j ACCEPT
-A whitelist -s 192.168.100.120 -j ACCEPT
-A whitelist -s 192.168.100.42 -j ACCEPT
-A whitelist -s 192.168.100.43 -j ACCEPT
-A whitelist -s 192.168.100.17 -j ACCEPT
-A whitelist -s 192.168.100.44 -j ACCEPT
-A whitelist -s 192.168.100.45 -j ACCEPT
-A whitelist -s 192.168.100.18 -j ACCEPT
-A whitelist -s 192.168.100.92 -j ACCEPT
-A whitelist -s 192.168.100.93 -j ACCEPT
-A whitelist -s 192.168.100.94 -j ACCEPT
-A whitelist -s 192.168.100.95 -j ACCEPT
-A whitelist -s 192.168.100.96 -j ACCEPT
-A whitelist -s 192.168.100.97 -j ACCEPT
-A whitelist -s 192.168.100.98 -j ACCEPT
-A whitelist -s 192.168.100.46 -j ACCEPT
-A whitelist -s 192.168.100.47 -j ACCEPT
-A whitelist -s 192.168.100.48 -j ACCEPT
-A whitelist -s 192.168.100.56 -j ACCEPT
-A whitelist -s 192.168.100.57 -j ACCEPT
-A whitelist -s 192.168.100.58 -j ACCEPT
-A whitelist -s 192.168.100.50 -j ACCEPT
-A whitelist -s 192.168.100.26 -j ACCEPT
-A whitelist -s 192.168.100.27 -j ACCEPT
-A whitelist -s 136.142.36.66 -j ACCEPT
-A whitelist -s 136.142.36.67 -j ACCEPT
-A whitelist -s 136.142.36.100 -j ACCEPT
-A whitelist -s 136.142.36.101 -j ACCEPT
-A whitelist -s 136.142.36.102 -j ACCEPT
-A whitelist -s 136.142.36.103 -j ACCEPT
-A whitelist -s 136.142.36.104 -j ACCEPT
-A whitelist -s 136.142.36.105 -j ACCEPT
-A whitelist -s 136.142.36.106 -j ACCEPT
-A whitelist -s 136.142.36.107 -j ACCEPT
-A whitelist -s 136.142.36.82 -j ACCEPT
-A whitelist -s 136.142.36.96 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j whitelist
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 1521 -j whitelist -A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
4.保存并启用设置
service iptables restart

5.验证规则
选择permit之外的IP地址telnet数据库VIP的22端口，如果访问失败则表示IP tables规则配置正确。
验证完毕后，备份新规则表。

四．回退方案
如果操作期间需要回退，回复之前备份的规则表。
cp /tmp/iptables.txt /etc/sysconfig/iptables

		自动登录	找回密码
密码			立即注册