To ensure the security of cloud servers, IP access can be restricted. This operation can resist malicious scanning, brute-force cracking and DDoS attacks. Allow access to the IP address range through precise control to avoid unauthorized access. The following text analyzes the implementation methods of the Linux/Windows system layer, the security groups of mainstream cloud platforms, and the automated management tools.
1. System-level IP restriction: Precise control by the firewall
Rule-based dynamic filtering in Linux iptables. iptables is a firewall tool integrated into the Linux kernel, supporting multi-dimensional filtering by IP, port, protocol, etc. Allow specific IP addresses to access SSH (Port 22) :
iptables A INPUT p tcp dport 22 s 192.168.1.100 j ACCEPT
iptables A INPUT p tcp dport 22 j DROP Other ips are prohibited from accessingBatch addition of IP segments (CIDR notation) :
iptables A INPUT p tcp dport 80 s 203.0.113.0/24 j ACCEPTSave and restore rules:
Save rules in iptablessave > /etc/iptables/rules.v4
iptablesrestore < /etc/iptables/rules.v4 restore after restartGraphical integration with PowerShell in Windows Firewall. Windows can restrict IP through advanced security firewalls or PowerShell scripts. Graphical interface operation: Open "Advanced Security Windows Defender Firewall"; To create inbound rules, select "Custom" → "All Programs" → "TCP-Specific Port"; Add the allowed remote IP addresses on the "Scope" page. Batch configuration of PowerShell:
powershell
NewNetFirewallRule DisplayName "AllowWeb" Direction Inbound
Protocol TCP LocalPort 80 RemoteAddress 192.168.1.100, 203.0.113.0/24
Action Allow2.Cloud Platform Security Group: Centralized Access Control
The security group is a virtual firewall provided by the cloud service provider, supporting unified management across instances. AWS Security Group Configuration (Example) Setting inbound rules via AWS CLI or console:
aws ec2 authorizesecuritygroupingress \
groupid sg0a1b2c3d4e5f6g7h8 \
protocol tcp \
port 443 \
cidr 203.0.113.5/323. Dynamic IP Management
The dynamic IP whitelist update Shell script is suitable for scenarios where IP frequently changes (such as home broadband) :
! /bin/
ALLOW_IP=$(curl s https://api.ipify.org) gets the current public IP address
Clear the old rules in iptables F INPUT (operate with caution!)
iptables A INPUT p tcp dport 22 s $ALLOW_IP j ACCEPT
iptables A INPUT p tcp dport 22 j DROPFail2ban automatically blocks malicious ips and combines log analysis to automatically shield attack sources. Installation and Configuration:
sudo apt install fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.localEdit jails.local:
ini
[sshd]
enabled = true
maxretry = 3. Ban after three failures
bantime = 1h
findtime = 10mFurther restrict access at the application layer by combining Nginx's IP filtering:
nginx
location /admin {
allow 192.168.1.100;
allow 203.0.113.0/24;
deny all;
proxy_pass http://backend;
}Database IP whitelist (MySQL example), restricting remote login to only specific ips:
sql
CREATE USER 'user'@'192.168.1.100' IDENTIFIED BY 'password';
GRANT ALL PRIVILEGES ON db. TO 'user'@'192.168.1.100';
FLUSH PRIVILEGES;Kubernetes NetworkPolicy, defining network policies for Pods:
yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allowspecificip
spec:
podSelector:
matchLabels:
app: web
policyTypes:
Ingress
ingress:
from:
ipBlock:
cidr: 192.168.1.100/32
5. Verification and Monitoring: Ensure the effectiveness of the strategy
Port scan testing, using nmap or telnet to verify port accessibility:
nmap p 22 203.0.113.5 scans port 22 of the target server
telnet 203.0.113.5 80 tests the connectivity of port 80Real-time traffic monitoring
iftop: Sort traffic in real time by IP
sudo iftop i eth0 f "src host 192.168.1.100"
tcpdump: Captures data packets from a specific IP address
tcpdump i eth0 host 192.168.1.100 and port 22
Log auditing: For viewing iptables logs:
tail f /var/log/syslog | grep "iptables"Cloud platform traffic log
AWS VPC flow logs, Alibaba Cloud traffic images, etc.
Vi. Best Practices and Pitfall Avoidance Guide
Some principles should be followed in the process of setting IP restrictions. For example, based on the principle of least privilege, only necessary ports are opened and all inbound traffic is rejected by default. Multi-factor Authentication (MFA), IP restrictions combined with MFA to enhance security; Back up the configuration. Before modifying the firewall or security group, back up the existing rules. Release in a gray-scale manner and gradually apply the new rules to avoid mistakenly blocking legitimate ips. Regular audits, monthly reviews of the IP whitelist, and deletion of invalid entries.
Nowadays, enterprises can build a defense system in depth at multiple levels of IP in the system layer, network layer and application layer. Help enterprises reduce attack risks by over 70%. In practical applications, everyone can flexibly adjust strategies to balance security and availability.
