How should the iptables port whitelist be set to take effect?

  linux, question

I set ports 80 and 443 to only run whitelist IP access, but found it useless. In fact, any IP can be accessed. Then I tested the INPUT rule to delete 80 ports, and then I could still access it. Clearly there is-A INPUT -j DROP. But Ben IP came into effect again.-A INPUT -s 120.26.72.89/32 -j DROP.

-A INPUT -i lo -j ACCEPT
 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A INPUT -p icmp -j ACCEPT
 -N whitelist
 -A whitelist -s 103.21.244.0/22 -j ACCEPT
 -A whitelist -s 103.22.200.0/22 -j ACCEPT
 -A whitelist -s 103.31.4.0/22 -j ACCEPT
 -A whitelist -s 104.16.0.0/12 -j ACCEPT
 -A whitelist -s 108.162.192.0/18 -j ACCEPT
 -A whitelist -s 131.0.72.0/22 -j ACCEPT
 -A whitelist -s 141.101.64.0/18 -j ACCEPT
 -A whitelist -s 162.158.0.0/15 -j ACCEPT
 -A whitelist -s 172.64.0.0/13 -j ACCEPT
 -A whitelist -s 173.245.48.0/20 -j ACCEPT
 -A whitelist -s 188.114.96.0/20 -j ACCEPT
 -A whitelist -s 190.93.240.0/20 -j ACCEPT
 -A whitelist -s 197.234.240.0/22 -j ACCEPT
 -A whitelist -s 198.41.128.0/17 -j ACCEPT
 -A whitelist -s 199.27.128.0/21 -j ACCEPT
 -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j whitelist
 -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j whitelist
 -A INPUT -j DROP
 -A FORWARD -j DROP
 -A OUTPUT -j ACCEPT

Don’t say self-built chain, just say ordinary settings, why don’t you say self-built chain? Because I’m killing Big Teemo with my roommate (I don’t play games, but killing Big Teemo is really interesting), I use my mobile phone editor to answer ……
Environment:

server ip:  172.0.0.1
 client ip: 127.0.0.2

In fact, it is very simple to release port 80. if iptables opens its service, the most troublesome thing may be to release FTP in passive mode.

$ iptables -A INPUT -s 127.0.0.2 -p tcp --dport 80 -j ACCEPT
 $ iptables -A OUTPUT -d 127.0.0.2 -p tcp --sport 80 -j ACCEPT

Then it will be released. Of course, there cannot be a prohibition rule to match first! The same is true for self-built chains.
Of course, you may need to DROP the entire firewall before accepting it.

clipboard.png