\u5efa\u7acb\u4e00\u4e2aiptables\u89c4\u5219\u6587\u6863\/etc\/iptables.conf\uff0c\u5efa\u7acb\u4e00\u4e2a\u65b0\u7684chain\u53eb\u505aFILTERS\uff0c\u5e76\u901a\u8fc7INPUT\u548cDOCKER-USER\u5c06\u7edd\u5927\u90e8\u5206\u9700\u8981\u6dfb\u52a0\u7684\u89c4\u5219\u8f6c\u4ea4\u7ed9FILTER\u5904\u7406\uff0c\u5e76\u901a\u8fc7\u7f16\u8f91FILTER\u7684\u89c4\u5219\u5b9e\u73b0\u7edf\u4e00\u7ba1\u7406INPUT\u548cDOCKER-USER\u89c4\u5219<\/p>\n\n\n\n
*filter\n:INPUT ACCEPT [0:0]\n:FORWARD DROP [0:0]\n:OUTPUT ACCEPT [0:0]\n:FILTERS - [0:0]\n:DOCKER-USER - [0:0]\n\n-F INPUT\n-F DOCKER-USER\n-F FILTERS\n\n-A INPUT -i lo -j ACCEPT\n-A INPUT -i zt+ -j ACCEPT\n-A INPUT -p icmp --icmp-type any -j ACCEPT\n-A INPUT -j FILTERS\n\n-A DOCKER-USER -i eth0 -j FILTERS\n\n-A FILTERS -m state --state ESTABLISHED,RELATED -j ACCEPT\n-A FILTERS -m state --state NEW -s 1.2.3.4\/32 -j ACCEPT\n-A FILTERS -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT\n-A FILTERS -m state --state NEW -m tcp -p tcp --dport 23 -j ACCEPT\n-A FILTERS -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT\n-A FILTERS -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT\n-A FILTERS -j DROP\n\nCOMMIT\n<\/code><\/pre>\n\n\n\n\u901a\u8fc7\u4ee5\u4e0b\u547d\u4ee4\u5c06\u4ee5\u4e0a\u89c4\u5219\u6dfb\u52a0\u5165iptables\u5b9e\u73b0\u7ba1\u7406\uff0c\u4e0d\u8981\u9057\u5fd8\u8fd9\u4e2a-n\u53c2\u6570\uff0c\u8fd9\u6837\u53ef\u4ee5\u907f\u514d\u6bcf\u6b21\u9700\u8981\u91cd\u542fdocker\u6765\u6dfb\u52a0docker\u89c4\u5219<\/p>\n\n\n\n
iptables-restore -n \/etc\/iptables.conf\n<\/code><\/pre>\n\n\n\n\u6700\u540e\u5efa\u7acbsystemctl\u670d\u52a1\uff0c\u53ef\u4ee5\u5b9e\u73b0start, stop, restart, enable\u7b49\u5de5\u4f5c\u3002<\/p>\n\n\n\n
vim \/etc\/systemd\/system\/iptables.service<\/code><\/pre>\n\n\n\n[Unit]\nDescription=Restore iptables firewall rules\nBefore=network-pre.target\n\n[Service]\nType=oneshot\nExecStart=\/sbin\/iptables-restore -n \/etc\/iptables.conf\n\n[Install]\nWantedBy=multi-user.target<\/code><\/pre>\n\n\n\nsystemctl enable --now iptables\nsystemctl restart iptables\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"\u5efa\u7acb\u4e00\u4e2aiptables\u89c4\u5219\u6587\u6863\/etc\/iptables.conf\uff0c\u5efa\u7acb\u4e00\u4e2a\u65b0\u7684chain\u53eb\u505aFILTERS […]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-171","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/byso.top\/index.php?rest_route=\/wp\/v2\/posts\/171","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/byso.top\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/byso.top\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/byso.top\/index.php?rest_route=\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/byso.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=171"}],"version-history":[{"count":4,"href":"https:\/\/byso.top\/index.php?rest_route=\/wp\/v2\/posts\/171\/revisions"}],"predecessor-version":[{"id":188,"href":"https:\/\/byso.top\/index.php?rest_route=\/wp\/v2\/posts\/171\/revisions\/188"}],"wp:attachment":[{"href":"https:\/\/byso.top\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=171"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/byso.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=171"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/byso.top\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=171"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}