我的旧 Debian 防火墙坏了,我正在通过这种方式将保存的规则迁移到 Ubuntu:
iptables-restore < 防火墙配置
我收到此错误:
Bad argument `192.168.1.0/255.255.255.0'
Error occurred at line: 18
打开文件第 18 行:
-A POSTROUTING -s ! 192.168.1.0/255.255.255.0 -j MASQUERADE
怎么了?
编辑:
对于更完整的问题,这里是使用 debian 上的 iptables-save 制作的防火墙规则备份:
# Generated by iptables-save v1.3.6 on Tue Sep 14 11:21:30 2010
*mangle
:PREROUTING ACCEPT [11666894:3426002549]
:INPUT ACCEPT [3992541:2783596820]
:FORWARD ACCEPT [7601705:635682622]
:OUTPUT ACCEPT [3786217:2807778972]
:POSTROUTING ACCEPT [4294041:3102897533]
COMMIT
# Completed on Tue Sep 14 11:21:30 2010
# Generated by iptables-save v1.3.6 on Tue Sep 14 11:21:30 2010
*nat
:PREROUTING ACCEPT [7593900:393423684]
:POSTROUTING ACCEPT [27503:1709683]
:OUTPUT ACCEPT [92965:5762818]
-A PREROUTING -p tcp -m tcp --dport 23 -j DNAT --to-destination 172.0.0.1:23
-A PREROUTING -s x.y.0.0/255.255.0.0 -p tcp -m tcp --dport 222 -j DNAT --to-destination 172.0.0.2:22
-A POSTROUTING -s 172.0.0.2 -j ACCEPT
-A POSTROUTING -s ! 192.168.1.0/255.255.255.0 -j MASQUERADE
COMMIT
# Completed on Tue Sep 14 11:21:30 2010
# Generated by iptables-save v1.3.6 on Tue Sep 14 11:21:30 2010
*filter
:INPUT DROP [5448:597666]
:FORWARD DROP [175410:8444546]
:OUTPUT ACCEPT [3785918:2807753497]
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -d 172.0.0.121 -j ACCEPT
-A INPUT -s 172.0.0.121 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 4445 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 8085 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 23 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8988 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 25 -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -d 172.0.0.121 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 110 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 143 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 20 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 21 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 25 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 53 -j ACCEPT
-A FORWARD -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -s 172.0.0.123 -p tcp -m tcp --dport 8999 -j ACCEPT
-A FORWARD -s 172.0.0.123 -p tcp -m tcp --dport 12177 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 8085 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 23 -j ACCEPT
-A FORWARD -s 172.0.0.187 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 5573 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 5574 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 5500 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 5540 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 5553 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 5557 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 443 -j ACCEPT
-A FORWARD -p tcp -m tcp --sport 443 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 172.0.0.2 -j ACCEPT
-A FORWARD -s 192.168.3.0/255.255.255.0 -d 172.0.0.2 -j ACCEPT
-A FORWARD -s 192.168.4.0/255.255.255.0 -d 172.0.0.2 -j ACCEPT
-A FORWARD -s 192.168.5.0/255.255.255.0 -d 172.0.0.2 -j ACCEPT
-A FORWARD -s 192.168.6.0/255.255.255.0 -d 172.0.0.2 -j ACCEPT
-A FORWARD -s 192.168.7.0/255.255.255.0 -d 172.0.0.2 -j ACCEPT
COMMIT
# Completed on Tue Sep 14 11:21:30 2010
答案1
解决方案不太好但确实有效:
格式化并安装 Debian:)