参考文章,预备知识
先单IP白名单测试学习
# 清空整个DOCKER-USER组
iptables -F DOCKER-USER
# 只允许特定IP 188.188.188.188 访问多个容器端口,其他都 DROP
iptables -I DOCKER-USER -s 188.188.188.188 -p tcp -m multiport --dport 80,443,8000,9000 -j ACCEPT
iptables -A DOCKER-USER -p tcp -m multiport --dport 80,443,8000,9000 -j DROP
iptables -A DOCKER-USER -j RETURN
# 显示刚设置的DOCKER-USER组规则
iptables -nvL DOCKER-USER
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 188.188.188.188 0.0.0.0/0 multiport dports 80,443,8000,9000
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443,8000,9000
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
浏览器打开测试是否屏蔽了其他IP,如果被关了,重启VPS就能恢复修改前的设置
# 再来添加第二个IP
iptables -I DOCKER-USER -s 自己IP地址 -p tcp -m multiport --dport 80,443,8000,9000 -j ACCEPT
理解 DOCKER-USER组规则后,我们来使用 ipset 建立白名单,测试学习ipset
的用法
apt install ipset -y # 安装ipset软件
ipset create blacklist hash:net maxelem 1000000 # 1.创建一个ipset 黑名单
ipset create whitelist hash:net maxelem 1000000 # 白名单
ipset add whitelist 8.8.8.8 # 加入一个名单ip
ipset list whitelist # 查看白名单
bash add_ipset.sh
whitelist.txt # 可以批量添加白名单
#!/bin/bash
# add_ipset.sh 批量从 iplist 按行导入 ipset
let i=1
while read -r line || [[ -n $line ]]; do
echo -e "${i} ${line}" && let i++
ipset add whitelist $line
done < $1
查看白名单 ipset list whitelist
Name: whitelist
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 1000000
Size in memory: 1112
References: 0
Number of entries: 12
Members:
8.8.8.8
......
白名单IPSET集测试学习
# 清空整个DOCKER-USER组
iptables -F DOCKER-USER
# 只允许白名单IPSET集访问多个容器端口,其他都 DROP
iptables -I DOCKER-USER -m set --match-set whitelist src -p tcp -j ACCEPT
iptables -A DOCKER-USER -p tcp -m multiport --dport 80,443,8000,9000 -j DROP
iptables -A DOCKER-USER -j RETURN
# 显示刚设置的DOCKER-USER组规则
iptables -nvL DOCKER-USER
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 match-set whitelist src
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443,8000,9000
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
用白名单IP 使用命令 tcping ip:port
测试是否能访问
$ tcping 188.188.0.224 80
Probing 188.188.0.224:80/tcp - Port is open - time=167.975ms
ipset add whitelist 188.188.243.133 # 如果不在白名单,再手工添加IP
ipset del whitelist 188.188.243.133 # 也可以从白名单IP中移出再测试
$ tcping 188.188.0.224 80
黑名单就要慢慢收集 参考命令
iptables -I DOCKER-USER -m set --match-set blacklist src -p tcp -j DROP
0 条评论