iptables 规则多次应用

tag-icon tag-icon networking 18.04 iptables firewall kvm-virtualization
iptables 规则多次应用

我在新安装的系统上有一组非常简单的 iptables 规则:

$ sudo iptables -L 
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DROP       all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

我使用 /etc/network/if- 文件夹中的脚本加载并保存规则:

#!/bin/sh
iptables-restore < /etc/iptables.rules
exit 0


#!/bin/sh
iptables-save -c > /etc/iptables.rules
if [ -f /etc/iptables.downrules ]; then
   iptables-restore < /etc/iptables.downrules
fi
exit 0

安装 qemu-kvm 后,我的规则进行了调整(根据我从 libvirt 读取的内容),以使我的虚拟机使用网络 - 这一切都很好。

但是,每次我重启主机 PC 时,规则都会通过 qumu-kvm 的完全相同的设置得到丰富。因此,经过几次重启后,我的规则如下所示:

$ cat /etc/iptables.rules 
# Generated by iptables-save v1.6.1 on Wed Oct 24 09:53:26 2018
*nat
:PREROUTING ACCEPT [1:73]
:INPUT ACCEPT [1:73]
:OUTPUT ACCEPT [8:353]
:POSTROUTING ACCEPT [8:353]
[1:40] -A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
[0:0] -A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
[0:0] -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
[0:0] -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
[0:0] -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
[0:0] -A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
[0:0] -A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
[0:0] -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
[0:0] -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
[0:0] -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
[0:0] -A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
[0:0] -A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
[0:0] -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
[0:0] -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
[0:0] -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Wed Oct 24 09:53:26 2018
# Generated by iptables-save v1.6.1 on Wed Oct 24 09:53:26 2018
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [11:506]
[0:0] -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
[0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
[0:0] -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
[0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
[0:0] -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
[0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
[0:0] -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
[0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
[36:2484] -A INPUT -i lo -j ACCEPT
[0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[6:1810] -A INPUT -j DROP
[0:0] -A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
[0:0] -A FORWARD -i virbr0 -o virbr0 -j ACCEPT
[0:0] -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
[0:0] -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
[0:0] -A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
[0:0] -A FORWARD -i virbr0 -o virbr0 -j ACCEPT
[0:0] -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
[0:0] -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
[0:0] -A FORWARD -j DROP
[0:0] -A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
[0:0] -A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
COMMIT
# Completed on Wed Oct 24 09:53:26 2018
# Generated by iptables-save v1.6.1 on Wed Oct 24 09:53:26 2018
*mangle
:PREROUTING ACCEPT [10:466]
:INPUT ACCEPT [10:466]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [11:506]
:POSTROUTING ACCEPT [11:506]
[0:0] -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
[0:0] -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Wed Oct 24 09:53:26 2018

你可以看到很多文件都是多次复制的。如果我不定期清理,你可以想象它会变得非常混乱。

我不想再粘贴很长的控制台输出,但是当我这样做时sudo iptables -vL我可以看到所有这些双打的应用。

问题是为什么会发生这种情况以及如何防止这种情况发生?

答案1

重复规则的积累是因为您在最后保存了它们,然后在系统添加的与 KVM 相关的规则之外重新加载它们。

我建议将该iptables-restore iptables-save方法改为仅使用脚本在启动时加载特定的 iptables 规则。

相关内容