情景:只对某一个ip开放端口,其他ip访问此端口拒绝
1 | iptables -A INPUT -s 开放的ip -p tcp --dport 端口 -j ACCEPT |
关于这两条的执行顺序,容易弄混。经测试发现,一定要先ACCEPT这个ip,再DROP掉其他ip,才能达到预期效果。
Each rule in a chain contains the specification of which packets it matches. It may also contain a target (used for extensions) or verdict (one of the built-in decisions). As a packet traverses a chain, each rule in turn is examined. If a rule does not match the packet, the packet is passed to the next rule. If a rule does match the packet, the rule takes the action indicated by the target/verdict, which may result in the packet being allowed to continue along the chain or it may not
可以理解一下为:按顺序匹配,只要匹配中一条就采用这一条。不再往下匹配。以此例,如果先DROP,就不会有ACCEPT了。