CentOS 7 PS: CentOS 7 comes with iptables, but does not come with iptables-services. You can install iptables services if necessary

When I came across a requirement that it wasn’t difficult to restrict a Redis service to a specified IP address using iptables, I did a web search and found this first

#Configure IPTABLESIptables -a INPUT -s Allowed IP -p TCP --dport 6379 -j ACCEPT iptables -a INPUT -s allowed IP -p TCP --dport 6379 -j ACCEPT Iptables -a INPUT -p TCP --dport 6379 -j REJECT '-a INPUT -p TCP --dport 6379-j REJECT' must be placed above '-a INPUT -p TCP --dport 6379-j REJECT'.Copy the code

It doesn’t seem difficult to use after a wave of executioniptables -L -nThe command we just executed set INPUT, so we’ll just look at INPUT as shown in the figure belowIt seemed to work, right and then he had a problem and the short answer was, it didn’t work, any IP could access him so I tested it again, and this time I just banned all IP access, I didn’t allow any IP access and unfortunately it didn’t work, No matter other server redis- CLI or baidu search out of the port scan, all can be accessed so why

Because my Redis service is started with Docker, Docker will register a virtual network card called Docker0 in the system, and the traffic accessing docker service will be directly forwarded to this network card. Because Docker0 will be regarded as a network card in the Linux system, So its iptables rules are unique and the INPUT we just set is not valid for the Docker serviceAt this time to perform

Iptables -i DOCKER -p TCP --dport 6379 -j DROP iptables -I DOCKER -s -p TCP --dport 6379 -j ACCEPT iptables -l  -nCopy the code

Now you can see that there are two new DOCKER rules, one is to deny all access and one is to allow access

If you are careful, you will notice that the command is forbidden first and then allowed, and the order of commands in the first code block is allowed first and then forbidden. Both orders are actually correct, because in the first code block is iptables -A, -a means added last, and iptables matches from top to bottom. So use the -a to finally add, it is the first write first match 】 【 the second block of code is written in the iptables -i, – I mean in the former, namely the effect in the screenshot above, you can see I add the two, is clearly in the front of the chain rule, the * * with the -i additional forward, Write first match **

At this point, my requirement to restrict port 6379 to only specified IP access via iptables has been fulfilled

But we just did that by writing a command, and it’s going to go away when the system restarts how do you make it work even after the system restarts

After consulting countless documents and trying all the methods I could find, I have not been able to implement the iptables rules so far. This is valid for INPOUT, FORWORD, OUTPUT, and PREROUTING rules. ** ** Saves our configured rules to the backup configuration file

iptables-save > /etc/sysconfig/iptables
Copy the code

Iptables-service (iptables-service)

service iptables save
Copy the code

Then manually load the configuration file after the system restarts

iptables-restore < /etc/sysconfig/iptables
Copy the code

To do this, install iptables-services.

systemctl restart iptables
Copy the code

And then you’re done

Analysis of the reasons should be: After the server is restarted, the Iptables service is started first and the backup configuration files will be loaded. However, the Docker service is not started and the Docker rule chain has not been created yet. Therefore, although iptables has loaded the backup configuration, it cannot load the content on the DPOCKER rule chain. As a result, the rules on the DOCKER rule chain we wrote did not load successfully

After docker is started, the docker rule chain exists. Either manually loading the iptables configuration file or simply restarting iptables and letting iptables read the configuration itself, the backup docker rules can be successfully loaded

Iptables common commands

The command The effect
iptables -nvL Lists all iptables rules
iptables -L -n Lists all iptables rules
iptables -L -n –line-number List all iptables rules with numbers
Iptables -save > Absolute file path Saves the current iptables rule to the specified file
Iptables -restore < Absolute file path Loads iptables rules from the specified file

Refer to the article

  • Redis specifies IP access
  • Make Redis extranet accessible
  • Redis Bind restricts and specifies IP access
  • Setting iptables rules does not take effect
  • Centos7 There are two methods for modifying iptables rules and making them take effect permanently upon startup
  • Iptables description (1) : Iptables concepts
  • Iptables (9) : The blacklist and whitelist mechanism of Iptables
  • Iptables Sets the redis port of the server to be accessed by a specified IP client
  • Iptables RPM package download page
  • CentOS 7 Iptables installation and use
  • Iptables installation and use in CentOS7
  • CentOS 7 Iptables installation and use
  • How does a Linux server remove iptables rules?