elp*_*ado 11 linux iptables centos
我在开发服务器上安装了一个最小的 CentOS 7 版本,以使用 kvm/qemu 虚拟化一些 linux 来宾。
要使用 iptables 而不是firewalld我安装iptables-service并执行以下操作:
systemctl stop firewalld
systemctl mask firewalld
systemctl enable iptables
systemctl start iptables
通过编辑/etc/sysconfig/selinux.
我对 iptables 的规则如下:
iptables -Z
iptables -F
iptables -X
iptables -t nat -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -A POSTROUTING -o enp6s0 -j MASQUERADE
iptables -A FORWARD -i enp6s0 -o virbr0 -j ACCEPT
现在我使用以下命令保存我的设置:
iptables-save > /etc/sysconfig/iptables
我的iptables-file样子:
# Generated by iptables-save v1.4.21 on Thu Aug 20 10:46:40 2015
*mangle
:PREROUTING ACCEPT [16736:10889078]
:INPUT ACCEPT [1063:106860]
:FORWARD ACCEPT [15679:10784186]
:OUTPUT ACCEPT [570:71275]
:POSTROUTING ACCEPT [15728:10809742]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Thu Aug 20 10:46:40 2015
# Generated by iptables-save v1.4.21 on Thu Aug 20 10:46:40 2015
*filter
:INPUT ACCEPT [868:81772]
:FORWARD ACCEPT [8328:7311589]
:OUTPUT ACCEPT [233:32016]
-A FORWARD -i enp6s0 -o virbr0 -j ACCEPT
COMMIT
# Completed on Thu Aug 20 10:46:40 2015
# Generated by iptables-save v1.4.21 on Thu Aug 20 10:46:40 2015
*nat
:PREROUTING ACCEPT [1308:86998]
:INPUT ACCEPT [77:12475]
:OUTPUT ACCEPT [1:72]
:POSTROUTING ACCEPT [1228:74319]
-A POSTROUTING -o enp6s0 -j MASQUERADE
COMMIT
# Completed on Thu Aug 20 10:46:40 2015
快速检查一下我的规则现在是否正确:
[root@dev1 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
但是重新启动服务器后,iptables 规则如下所示:
[root@dev1 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 10.0.1.0/24 ctstate RELATED,ESTABLISHED
ACCEPT all -- 10.0.1.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:bootpc
我不明白其他规则从何而来。
调用时iptables-restore -c /etc/sysconfig/iptables会显示预期的规则。
似乎保存的规则没有在启动时加载,或者“默认”规则没有刷新或其他什么。
这里有什么问题 ???我的头发慢慢变白了...
感谢您的快速回复:)
如上所述,我安装了 iptables-services:
[root@dev1 ~]# rpm -aq iptables-services
iptables-services-1.4.21-13.el7.x86_64
启用服务systemctl enable iptables.service而不是使用systemctl enable iptables似乎没有区别,因为链接了相同的服务文件:
[root@dev1 ~]# systemctl disable iptables
rm '/etc/systemd/system/basic.target.wants/iptables.service'
[root@dev1 ~]# systemctl enable iptables.service
ln -s '/usr/lib/systemd/system/iptables.service' '/etc/systemd/system/basic.target.wants/iptables.service'
这是调用后iptables文件的内容
/usr/libexec/iptables/iptables.init save
[root@develcluster1 ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.21 on Fri Aug 21 14:34:04 2015
*nat
:PREROUTING ACCEPT [351490:22546787]
:INPUT ACCEPT [15751:2400243]
:OUTPUT ACCEPT [324:21186]
:POSTROUTING ACCEPT [304860:18293418]
-A POSTROUTING -o enp6s0 -j MASQUERADE
COMMIT
# Completed on Fri Aug 21 14:34:04 2015
# Generated by iptables-save v1.4.21 on Fri Aug 21 14:34:04 2015
*filter
:INPUT ACCEPT [505048:69178501]
:FORWARD ACCEPT [55815086:22035726185]
:OUTPUT ACCEPT [325986:56595531]
-A FORWARD -i enp6s0 -o virbr0 -j ACCEPT
COMMIT
# Completed on Fri Aug 21 14:34:04 2015
# Generated by iptables-save v1.4.21 on Fri Aug 21 14:34:04 2015
*mangle
:PREROUTING ACCEPT [109215513:66867793592]
:INPUT ACCEPT [505243:69203589]
:FORWARD ACCEPT [108710264:66798590873]
:OUTPUT ACCEPT [326323:56634790]
:POSTROUTING ACCEPT [109036066:66855179944]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Fri Aug 21 14:34:04 2015
重启后调用iptables -L不显示我保存的规则:
[root@dev1 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 10.0.1.0/24 ctstate RELATED,ESTABLISHED
ACCEPT all -- 10.0.1.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:bootpc
也许我在做一些根本性的错误。但是我阅读的每个线程都以相同的方式执行此操作,并且应该可以正常工作。
如果您需要更多信息,请告诉我。
同时,我通过调用一个小脚本来帮助我,我必须在每次重新启动后调用该脚本。
#!/bin/sh
iptables -Z
iptables -F
iptables -X
iptables -t nat -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -A POSTROUTING -o enp6s0 -j MASQUERADE
iptables -A FORWARD -i enp6s0 -o virbr0 -j ACCEPT
iptables --flush
iptables-restore -c /etc/sysconfig/iptables
那不是性感,但到目前为止有效。但不可能是最终的解决方案。
Hen*_*gel 14
我认为您需要通过以下方式启用该服务:
systemctl enable iptables.service
并且您需要运行 iptables init 脚本来保存您的规则,如下所示:
/usr/libexec/iptables/iptables.init save
确保您安装了 iptables-services 包:
rpm -aq iptables-services
如果没有安装:
yum install iptables-services
然后,您可以使用 service 命令来控制它,就像使用以前版本的 CentOS 一样:
service iptables save
的save,stop,start,restart命令将所有的工作,它应该在引导加载。
| 归档时间: |
|
| 查看次数: |
25384 次 |
| 最近记录: |