vi /etc/sysconfig/iptables # Generated by iptables-save v1.4.7 on Fri Aug 25 10:54:48 2017 *filter :INPUT ACCEPT [6128:1521617] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [5824:2626314] -A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -j ACCEPT -A INPUT -s xx.xxx.xx.xx/32 -p tcp -m conntrack --ctstate NEW -m tcp --dport 1521 -j ACCEPT -A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 1521 -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT 另外一种,好像和上面一样,只是先后顺序不一样 --source 对应 -s 估计是简写吧 # Generated by iptables-save v1.4.7 on Wed Aug 23 18:00:46 2017 *filter :INPUT ACCEPT [90:26030] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [61:9044] -A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 1521 --source xx.xxx.xx.xx/32 -j ACCEPT -A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 1521 -j REJECT --reject-with icmp-host-prohibited -A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 27017 -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Wed Aug 23 18:00:46 2017 ~ 修改配置后。直接service iptables restart 就可以了