添加minio源端白名单
1、检查机器原有白名单:
[root@test-01 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT tcp -- anywhere anywhere multiport dports cslistener source IP range 192.158.\*.2-192.158.\*.61
ACCEPT tcp -- anywhere anywhere multiport dports cslistener source IP range 127.0.0.1-127.0.0.1
DROP tcp -- anywhere anywhere multiport dports cslistener
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:bootpc
需要注意,INPUT的Chain中,已有1条DROP,过滤执行到drop后就会中断,剩余语句不再过滤。所以需要保证drop行在Chain的最后一行。
2、检查需要新增的语句
iptables -A INPUT -p tcp --dport 9000 -s 192.158.%.90,192.158.%.100 -j ACCEPT
3、删掉原有drop规则,增加规则后将drop规则追加到最后
3.1、显示规则行号
[root@test-01 ~]# iptables -L --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT udp -- anywhere anywhere udp dpt:domain
2 ACCEPT tcp -- anywhere anywhere tcp dpt:domain
3 ACCEPT udp -- anywhere anywhere udp dpt:bootps
4 ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
5 ACCEPT tcp -- anywhere anywhere multiport dports cslistener source IP range 192.158.\*.2-192.158.\*.61
6 ACCEPT tcp -- anywhere anywhere multiport dports cslistener source IP range 127.0.0.1-127.0.0.1
7 DROP tcp -- anywhere anywhere multiport dports cslistener
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
2 ACCEPT all -- 192.168.122.0/24 anywhere
3 ACCEPT all -- anywhere anywhere
4 REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
5 REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT udp -- anywhere anywhere udp dpt:bootpc
3.2、删掉对应行号(删掉第7行,对应原来的DROP规则)
iptables -D INPUT 7
3.3、增加规则
iptables -A INPUT -p tcp --dport 9000 -s 192.158.%.90,192.158.%.100 -j ACCEPT
3.4、增加drop规则
iptables -A INPUT -p tcp --dport 9000 -j DROP
4、检查规则并保存
4.1、检查规则
[root@test-01 ~]# iptables -L --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT udp -- anywhere anywhere udp dpt:domain
2 ACCEPT tcp -- anywhere anywhere tcp dpt:domain
3 ACCEPT udp -- anywhere anywhere udp dpt:bootps
4 ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
5 ACCEPT tcp -- anywhere anywhere multiport dports cslistener source IP range 192.158.\*.2-192.158.\*.61
6 ACCEPT tcp -- anywhere anywhere multiport dports cslistener source IP range 127.0.0.1-127.0.0.1
7 ACCEPT tcp -- 192.158.%.90 anywhere tcp dpt:cslistener
8 ACCEPT tcp -- 192.158.%.100 anywhere tcp dpt:cslistener
9 DROP tcp -- anywhere anywhere tcp dpt:cslistener
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
2 ACCEPT all -- 192.168.122.0/24 anywhere
3 ACCEPT all -- anywhere anywhere
4 REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
5 REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT udp -- anywhere anywhere udp dpt:bootpc
4.2、保存防火墙规则
[root@test-01 ~]# service iptables save