我在开发服务器上安装了一个最小的CentOS 7版本,用kvm / qemu虚拟化一些
linux客户端.
要使用iptables而不是firewalld我安装iptables-service并执行:
systemctl stop firewalld systemctl mask firewalld systemctl enable iptables systemctl start iptables
通过编辑/ etc / sysconfig / selinux禁用SELinux.
我的iptables规则如下:
iptables -Z iptables -F iptables -X iptables -t nat -Z iptables -t nat -F iptables -t nat -X iptables -t nat -A POSTROUTING -o enp6s0 -j MASQUERADE iptables -A FORWARD -i enp6s0 -o virbr0 -j ACCEPT
现在我使用以下命令保存我的设置:
iptables-save > /etc/sysconfig/iptables
我的iptables文件看起来:
# Generated by iptables-save v1.4.21 on Thu Aug 20 10:46:40 2015 *mangle :PREROUTING ACCEPT [16736:10889078] :INPUT ACCEPT [1063:106860] :FORWARD ACCEPT [15679:10784186] :OUTPUT ACCEPT [570:71275] :POSTROUTING ACCEPT [15728:10809742] -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill COMMIT # Completed on Thu Aug 20 10:46:40 2015 # Generated by iptables-save v1.4.21 on Thu Aug 20 10:46:40 2015 *filter :INPUT ACCEPT [868:81772] :FORWARD ACCEPT [8328:7311589] :OUTPUT ACCEPT [233:32016] -A FORWARD -i enp6s0 -o virbr0 -j ACCEPT COMMIT # Completed on Thu Aug 20 10:46:40 2015 # Generated by iptables-save v1.4.21 on Thu Aug 20 10:46:40 2015 *nat :PREROUTING ACCEPT [1308:86998] :INPUT ACCEPT [77:12475] :OUTPUT ACCEPT [1:72] :POSTROUTING ACCEPT [1228:74319] -A POSTROUTING -o enp6s0 -j MASQUERADE COMMIT # Completed on Thu Aug 20 10:46:40 2015
快速检查我的规则目前是否正确:
[root@dev1 ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination
但重启服务器后,iptables规则如下:
[root@dev1 ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:bootps ACCEPT tcp -- anywhere anywhere tcp dpt:bootps Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere 10.0.1.0/24 ctstate RELATED,ESTABLISHED ACCEPT all -- 10.0.1.0/24 anywhere ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-port-unreachable ACCEPT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- anywhere anywhere udp dpt:bootpc
我不明白其他规则的来源.
调用iptables-restore -c / etc / sysconfig / iptables时,将显示预期的规则.
似乎保存的规则不会在启动时加载,也不会刷新“默认”规则或其他任何内容.
这里有什么问题 ???我慢慢变白了……
如上所述,iptables-services由我安装:
[root@dev1 ~]# rpm -aq iptables-services iptables-services-1.4.21-13.el7.x86_64
使用systemctl启用iptables.service启用服务而不是使用systemctl启用iptables似乎没有区别,因为链接了相同的服务文件:
[root@dev1 ~]# systemctl disable iptables rm '/etc/systemd/system/basic.target.wants/iptables.service' [root@dev1 ~]# systemctl enable iptables.service ln -s '/usr/lib/systemd/system/iptables.service' '/etc/systemd/system/basic.target.wants/iptables.service'
这是调用后的iptables文件的内容
/usr/libexec/iptables/iptables.init保存
[root@develcluster1 ~]# cat /etc/sysconfig/iptables # Generated by iptables-save v1.4.21 on Fri Aug 21 14:34:04 2015 *nat :PREROUTING ACCEPT [351490:22546787] :INPUT ACCEPT [15751:2400243] :OUTPUT ACCEPT [324:21186] :POSTROUTING ACCEPT [304860:18293418] -A POSTROUTING -o enp6s0 -j MASQUERADE COMMIT # Completed on Fri Aug 21 14:34:04 2015 # Generated by iptables-save v1.4.21 on Fri Aug 21 14:34:04 2015 *filter :INPUT ACCEPT [505048:69178501] :FORWARD ACCEPT [55815086:22035726185] :OUTPUT ACCEPT [325986:56595531] -A FORWARD -i enp6s0 -o virbr0 -j ACCEPT COMMIT # Completed on Fri Aug 21 14:34:04 2015 # Generated by iptables-save v1.4.21 on Fri Aug 21 14:34:04 2015 *mangle :PREROUTING ACCEPT [109215513:66867793592] :INPUT ACCEPT [505243:69203589] :FORWARD ACCEPT [108710264:66798590873] :OUTPUT ACCEPT [326323:56634790] :POSTROUTING ACCEPT [109036066:66855179944] -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill COMMIT # Completed on Fri Aug 21 14:34:04 2015
重新启动后,对iptables -L的调用不显示我保存的规则:
[root@dev1 ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:bootps ACCEPT tcp -- anywhere anywhere tcp dpt:bootps Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere 10.0.1.0/24 ctstate RELATED,ESTABLISHED ACCEPT all -- 10.0.1.0/24 anywhere ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-port-unreachable ACCEPT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- anywhere anywhere udp dpt:bootpc
也许我做了一些根本错误的事情.但我读到的每一个线程都以同样的方式做到这一点,它应该工作.
如果您需要更多信息,请告诉我.
同时,我通过调用一个小脚本来帮助我,我必须在每次重启后调用它.
#!/bin/sh iptables -Z iptables -F iptables -X iptables -t nat -Z iptables -t nat -F iptables -t nat -X iptables -t nat -A POSTROUTING -o enp6s0 -j MASQUERADE iptables -A FORWARD -i enp6s0 -o virbr0 -j ACCEPT iptables --flush iptables-restore -c /etc/sysconfig/iptables
这不是性感,但到目前为止工作.但不可能是最终的解决方案.
解决方法
我认为您需要启用该服务:
systemctl启用iptables.service
并且您需要运行iptables init脚本来保存您的规则,如下所示:
/usr/libexec/iptables/iptables.init保存
