How to use iptables to block IP addresses in centos

1. Install iptables firewall
CentOS execution:

Yum install iptables
Run Debian/Ubuntu:

Apt-get install iptables
2. Clear existing iptables rules

Iptables-F
Iptables-X
Iptables-Z

3. Open the specified port
# Allow the local loopback interface (that is, running the local machine to access the local machine)

Iptables-a input-s 127.0.0.1-d 127.0.0.1-j ACCEPT
# Allow established or related connections

Iptables-a input-m state -- state ESTABLISHED, RELATED-j ACCEPT
# Allow external access from all hosts

Iptables-a output-j ACCEPT
# Allow access to port 22

Iptables-a input-p tcp -- dport 22-j ACCEPT
# Allow access to port 80

Iptables-a input-p tcp -- dport 80-j ACCEPT
# Allow port 21 and Port 20 of the FTP service

Iptables-a input-p tcp -- dport 21-j ACCEPT
Iptables-a input-p tcp -- dport 20-j ACCEPT
# If there are other ports, the rule is similar. Just modify the preceding statement slightly.
# Prohibit access by other unpermitted rules

Iptables-a input-j REJECT
Iptables-a forward-j REJECT
4. Shielding IP addresses
# If you only want to block the IP address, you can skip "open the specified port.
# The command to shield a single IP address is

Iptables-I INPUT-s 123.45.6.7-j DROP
# The Command for sealing the entire segment from 123.0.0.1 to 123.20.255.254

Iptables-I INPUT-s 123.0.0.0/8-j DROP
# An IP address segment is a command from 123.45.0.1 to 123.45.255.254.

Iptables-I INPUT-s 124.45.0.0/16-j DROP
# The Command from 123.45.6.1 to 123.45.6.254 is

Iptables-I INPUT-s 123.45.6.0/24-j DROP
4. View the added iptables rules

Iptables-L-n
V: displays details, including the number of matching packages and the number of matching bytes for each rule.
X: disable automatic unit conversion (K, M) based on v)
N: only the ip address and port number are displayed, and the ip address is not resolved as a domain name.
5. Delete the added iptables rule
Display all iptables with serial numbers. Run the following command:

Iptables-L-n -- line-numbers
For example, to delete the rule with serial number 1 in INPUT, execute:
Iptables-d input 1
6. Start iptables and save the rules

Chkconfig -- level 345 iptables on
On CentOS, you can execute the: service iptables save rule.
Common commands for using iptables to block ip segments in linux:
The command to block a single IP address is:

Iptables-I INPUT-s 211.1.0.0-j DROP
The command to block IP segments is:

Iptables-I INPUT-s 211.1.0.0/16-j DROP
Iptables-I INPUT-s 211.2.0.0/16-j DROP
Iptables-I INPUT-s 211.3.0.0/16-j DROP
The command to block the entire segment is:

Iptables-I INPUT-s 211.0.0.0/8-j DROP
The command for sealing several segments is:

Iptables-I INPUT-s 61.37.80.0/24-j DROP
Iptables-I INPUT-s 61.37.81.0/24-j DROP
To unseal:

Iptables-d input-s IP address-j REJECT
Clear all:

Iptables-F
Close:

/Etc/rc. d/init. d/iptables stop
Start:

/Etc/rc. d/init. d/iptables start
Restart:

/Etc/rc. d/init. d/iptables restart
1. Takes effect after restart
Enable: chkconfig iptables on
Close: chkconfig iptables off
2. It takes effect immediately and becomes invalid after restart
Enable: service iptables start
Disable: service iptables stop

Iptables IP address whitelist configuration

Edit The iptables configuration file and change the file content to the following. The IP address whitelist function is available.
# Vim/etc/sysconfig/iptables

 

1. * filter
2.: input accept [0: 0]
3.: forward accept [0: 0]
4.: output accept [0: 0]
5.
6.-N whitelist
7.-A whitelist-s 1.2.3.0/24-j ACCEPT
8.-A whitelist-s 4.5.6.7-j ACCEPT
9.
10.-a input-m state -- state RELATED, ESTABLISHED-j whitelist
11.-a input-m state -- state NEW-m tcp-p tcp -- dport 22-j whitelist
12.-a input-m state -- state NEW-m tcp-p tcp -- dport 8080-j whitelist
13.-a input-p icmp-j ACCEPT
14.-a input-I lo-j ACCEPT
15.-a input-j REJECT -- reject-with icmp-host-prohibited
16.-a forward-j REJECT -- reject-with icmp-host-prohibited
17. COMMIT

6 ~ The eight rows are the whitelist list, which can be an ip segment or a single ip address.
10 ~ The 12 lines should note "-j whitelist" instead of "-j ACCEPT". The former restricts the access permission of this port to the white list, while the latter does not.

Any IP address in line 13 can be pinged to the host because "-j ACCEPT" is not subject to any restrictions.

After the configuration is complete, run the command to restart the firewall to make the rule take effect.
# Systemctl restart iptables. service