vsftpd 与TCP_wrapper 结合到一块来实现这种要求
/etc/hosts.allow 定义允许的地址:
/etc/hosts.deny 定义拒绝的来源地址.

如下:
/etc/hosts.allow

[root@BJFS-PIM root.adminssh]# cat /etc/hosts.allow

hosts.allow This file describes the names of the hosts which are

allowed to use the local INET services, as decided

by the ‘/usr/sbin/tcpd’ server.

vsftpd :123.103.47.0/255.255.255.0 218.240.63.0/255.255.255.0 59.46.172.0/255.255.255.0 10.0.0.0/255.0.0.0 60.2.80.0/255.255.255.0 218.249.230.0/255.255.255.0 160.10.0.0/255.255.0.0 218.246.69.0/255.255.255.0 125.35.3.0/255.255.255.0:allow

/etc/hosts.deny如下:

hosts.deny This file describes the names of the hosts which are

not allowed to use the local INET services, as decided

by the ‘/usr/sbin/tcpd’ server.

The portmap line is redundant, but it is left to remind you that

the new secure portmap uses hosts.deny and hosts.allow. In particular

you should know that NFS uses portmap!

vsftpd : ALL : DENY

将tcp_wrappers=yes添加至
/etc/vsftpd/vsftpd.conf 中
vi /etc/vsftpd/vsftpd.conf

tcp_wrappers=YES

重新启动vsftpd
[root@home vsftpd]# /sbin/service vsftpd restart
Shutting down vsftpd: OK ]
Starting vsftpd for vsftpd: OK ]