Preface
In server management, firewalls are an important tool to protect system security. Normally, we might turn off firewalld, but in some cases we need to leverage firewalld or iptables to limit IP requests. This article will introduce in detail how to use firewalld and iptables to implement IP port restriction and openness.
1. FirewalldIP port restrictions
1.1 Confirm the startup status
First, we need to confirm the startup status of firewalld
sudo systemctl status firewalld
1.2 Start Firewalld
If firewalld is not started, execute the following command to start:
sudo systemctl start firewalld
1.3 View the IP currently connected to Nacos
Take Nacos as an example to view the IP currently connected to Nacos:
netstat -antp | grep ':8848' | awk '{print $5}' | cut -d':' -f1 | sort | uniq
The ip searched here is for reference only and can be used as a supplement after sorting
1.4 Add access rules
Add access rules to allow specific IPs to access Nacos services:
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="172.1.1.3" port port=8848 protocol=tcp accept'
Among them, address is the IP of the server that needs to be connected to Nacos (both intranet/elasticity must be added), and the port specifies the Nacos port. Multiple IPs can execute the above code multiple times.
1.5 Reload the configuration
After adding the rules, reload the configuration:
sudo firewall-cmd --reload
1.6 View the list of currently active rules
View the list of currently active rules:
sudo firewall-cmd --list-all
Output example:
public (active)
target: default
icmp-block-inversion: no
interfaces: ens3
sources:
services: cockpit dhcpv6-client mdns ssh
ports: 8848/tcp 6379/tcp 8012/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family=“ipv4” source address=“172.1.1.1” port port=“8848” protocol=“tcp” accept
rule family=“ipv4” source address=“172.1.1.2” port port=“8848” protocol=“tcp” accept
rule family=“ipv4” source address=“172.1.1.3” port port=“8848” protocol=“tcp” accept
rule family=“ipv4” source address=“172.1.1.4” port port=“8848” protocol=“tcp” accept
1.7 Remove a rule
- View current rich rules
sudo firewall-cmd --list-rich-rules
- Remove rich rule
sudo firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="172.1.1.4" port port="8848" protocol="tcp" accept'
- Reload the firewall
sudo firewall-cmd --reload
- Verify that the rule has been removed
sudo firewall-cmd --list-rich-rules
2. Firewalld open port
The previous section is about opening ports for IP, so how to directly open ports so that all IPs can be accessed?
2.1 Open port 6379
sudo firewall-cmd --permanent --add-port=6379/tcp
2.2 Reload the firewall
After adding the rules, you need to reload the firewall for the changes to take effect:
sudo firewall-cmd --reload
2.3 Verification Rules
You can verify the current firewall rules by using the following command to ensure that the Redis port has been successfully opened:
sudo firewall-cmd --list-all
Iptables restrict IP ports (not verified)
3.1 Add rules to allow specific IPs to access Nacos services:
sudo iptables -A INPUT -p tcp -s 172.16.17.33 --dport 8848 -j ACCEPT sudo iptables -A INPUT -p tcp -m tcp --dport 8848 -s 172.16.61.83 -j ACCEPT
3.2 Save iptables rules
Ubuntu/Debian:
sudo iptables-save > /etc/
CentOS/RHEL:
sudo service iptables save
3.3 Solve the problem that the browser cannot access Nacos page
After adding the rules, the browser may still not be able to access the Nacos page, and the corresponding server may be pinged, but curl cannot be accessed. It may be caused by a rule, which can be accessed normally after being removed.
5 REJECT all – 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Summarize
In server management, it is very important to sort out what services currently have that servers need to be accessed from outside. Similar to 1.3, the connection IP viewing is not comprehensive, so it is necessary to configure the rules based on actual conditions. Through firewalld and iptables, we can flexibly control the access rights of IP ports, thereby improving the security of the server.
The above is the detailed content on using firewalld and iptables to implement IP port restriction and opening. For more information about firewalld iptables IP port restriction and opening, please follow my other related articles!