Linux平台实现简单的IP白名单策略

/etc/hosts.allow与/etc/hosts.deny的判定机制

1. 读取/etc/hosts.allow文件，从上到下读取：
   • 如果守护程序-客户端对与文件中的第一行匹配，则授予访问权限；
   • 如果该行不匹配，则读取下一行并执行相同的检查；
   • 如果读取了所有行，但没有匹配，则从顶部开始读取/etc/hosts.deny文件；
2. 从上到下读取/etc/hosts.deny文件：
   • 如果在hosts.deny文件中找到守护程序-客户端对匹配，则拒绝访问；
   • 如果在两个文件中都找不到守护程序-客户端对的规则，或者如果两个文件都不存在，则授予对服务的访问权限。

白名单的配置策略

根据判定机制，配置策略可以是：在hosts.allow中配置IP白名单（逗号隔开），在hosts.deny中配置禁用所有IP（ALL）：

# /etc/hosts.allow: list of hosts that are allowed to access the system.
#                   See the manual pages hosts_access(5) and hosts_options(5).
#
# Example:    ALL: LOCAL @some_netgroup
#             ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
#
# If you're going to protect the portmapper use the name "rpcbind" for the
# daemon name. See rpcbind(8) and rpc.mountd(8) for further information.

ALL: IP地址白名单（xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx）

# /etc/hosts.deny: list of hosts that are _not_ allowed to access the system.
#                  See the manual pages hosts_access(5) and hosts_options(5).
#
# Example:    ALL: some.host.name, .some.domain
#             ALL EXCEPT in.fingerd: other.host.name, .other.domain
#
# If you're going to protect the portmapper use the name "rpcbind" for the
# daemon name. See rpcbind(8) and rpc.mountd(8) for further information.
#
# The PARANOID wildcard matches any host whose name does not match its
# address.
#
# You may wish to enable this to ensure any programs that don't
# validate looked up hostnames still leave understandable logs. In past
# versions of Debian this has been the default.
# ALL: PARANOID

ALL: ALL

或者使用EXCEPT命令仅配置hosts.deny：

ALL: ALL EXCEPT IP地址白名单（xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx）