iptables 必须先拒绝所有,在允许

<pre name="code" class="html">[root@wx02 ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Tue Sep 20 11:18:45 2016
*filter
:INPUT ACCEPT [100:5792]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [104:8990]
COMMIT
# Completed on Tue Sep 20 11:18:45 2016

先允许,在拒绝
iptables -I INPUT -s 115.236.6.6 -p tcp --dport 22 -j ACCEPT
iptables -I INPUT -p tcp --dport 22 -j DROP

# service iptables save
3.重启防火墙
#service iptables restart

/**先拒绝所有,在允许

[root@wx02 ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Tue Sep 20 11:39:10 2016
*filter
:INPUT ACCEPT [293:18238]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [231:19319]
-A INPUT -s 115.236.6.6/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j DROP
COMMIT
# Completed on Tue Sep 20 11:39:10 2016

[root@wx02 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  115.236.6.6       anywhere            tcp dpt:ssh
DROP       tcp  --  anywhere             anywhere            tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
[root@wx02 ~]#