我的iptables配置

#公用的脚本，需要在主服务器执行,安装clush的为主服务器

#清空所有规则

#先把INPUT 变成accept

clush -a sudo iptables -P INPUT ACCEPT

clush -a sudo iptables -Z

clush -a sudo iptables -X

clush -a sudo iptables -F

clush -a sudo iptables -F -t nat

#所有自己发出的连接允许回来

clush -a sudo iptables -I INPUT -m state --state  ESTABLISHED -j ACCEPT

#允许监控

clush -a sudo iptables  -A INPUT -s 120.27.102.225/32 -j ACCEPT 

#开放22端口ssh服务

clush -a sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

#允许自己访问自己的ip

clush -a sudo iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT 

#允许我们自己服务器间相互访问

#应用服务器

#mysql

clush -a sudo iptables -A INPUT -s 10.161.85.184 -j ACCEPT

#demo演示服务器

clush -a sudo iptables -A INPUT -s 10.161.197.167 -j ACCEPT

#nginx

clush -a sudo iptables -A INPUT -s 10.169.27.36 -j ACCEPT

#timer

clush -a sudo iptables -A INPUT -s 10.174.198.134 -j ACCEPT

#app

clush -a sudo iptables -A INPUT -s 10.161.194.154 -j ACCEPT

#recNginx

clush -a sudo iptables -A INPUT -s 10.251.144.150 -j ACCEPT

#recApp1

clush -a sudo iptables -A INPUT -s 10.163.221.61 -j ACCEPT

#hadoop集群

#h1.nn1

clush -a sudo iptables -A INPUT -s 10.165.17.73 -j ACCEPT

#h1.nn2

clush -a sudo iptables -A INPUT -s 10.144.19.34 -j ACCEPT

#h1.dn1

clush -a sudo iptables -A INPUT -s 10.163.113.110 -j ACCEPT

#h1.nn2

clush -a sudo iptables -A INPUT -s 10.163.101.63 -j ACCEPT

#h1.nn3

clush -a sudo iptables -A INPUT -s 10.129.89.103 -j ACCEPT

#允许公司的外网ip访问

clush -a sudo iptables -A INPUT -s 182.50.124.75 -j ACCEPT

#给应用服务器设置防火墙

#给web服务器开放80端口

clush -g web sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT

clush -g web sudo iptables -A INPUT -p tcp --dport 8080 -j ACCEPT

clush -g web sudo iptables -A INPUT -p tcp --dport 8443 -j ACCEPT

clush -g web sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

clush -g web sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8443

#配置nginx 服务器

clush -w nginx sudo  iptables -A INPUT -p tcp --dport 80 -j ACCEPT

clush -w nginx sudo  iptables -A INPUT -p tcp --dport 8888 -j ACCEPT

clush -w nginx sudo  iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8888

#nginx https配置

clush -w nginx sudo  iptables -A INPUT -p tcp --dport 443 -j ACCEPT

clush -w nginx sudo  iptables -A INPUT -p tcp --dport 7443 -j ACCEPT

clush -w nginx sudo  iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 7443

#配置埋点nginx 服务器

clush -w recNginx sudo  iptables -A INPUT -p tcp --dport 80 -j ACCEPT

clush -w recNginx sudo  iptables -A INPUT -p tcp --dport 8888 -j ACCEPT

clush -w recNginx sudo  iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8888

#埋点nginx https配置

clush -w recNginx sudo  iptables -A INPUT -p tcp --dport 443 -j ACCEPT

clush -w recNginx sudo  iptables -A INPUT -p tcp --dport 7443 -j ACCEPT

clush -w recNginx sudo  iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 7443

#mysql服务器 115.29.247.110 

clush -w mysql sudo  iptables -A INPUT -s 115.29.247.110 -j ACCEPT

#最后把INPUT 给drop掉

clush -a sudo iptables -P INPUT DROP

#保存配置iptables

clush -a sudo /etc/init.d/iptables save

clush -a sudo /etc/init.d/iptables restart 

#允许mysql 被245访问 

clush -w mysql sudo iptables -A INPUT -s 121.40.121.245 -j ACCEPT

#CentOS 7 iptables 保存

#clush -w recApp1 sudo  iptables-save

#clush -w recApp1 sudo  systemctl restart iptables.service

#clush -w recNginx sudo iptables-save

#clush -w recNginx sudo systemctl restart iptables.service