centos 8 中神秘的 iptable 规则

tag-icon tag-icon centos iptables
centos 8 中神秘的 iptable 规则

我在系统重新启动时遵循 iptable 规则。它们没有在 中定义/etc/sysconfig/iptables

我无法弄清楚它们来自哪里。事实上,中定义的规则/etc/sysconfig/iptables甚至不在表中,因此被排除(参见上一节)。

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:53
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:67
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:67

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            192.168.122.0/24     ctstate RELATED,ESTABLISHED
ACCEPT     all  --  192.168.122.0/24     0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:68

我已删除firewalldnftables调试该问题,但没有区别。我iptables也禁用了。

[root@dan ~]# systemctl status firewalld
Unit firewalld.service could not be found.
[root@dan ~]# systemctl status nftables
Unit nftables.service could not be found.
[root@dan ~]# systemctl status iptables
iptables.service - IPv4 firewall with iptables
   Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled)
Active: inactive (dead)

我怀疑 docker 但它也被禁用了

[root@dan ~]# systemctl status docker
systemctl status dockerdocker.service - Docker Application Container Engine
   Loaded: loaded (/usr/lib/systemd/system/docker.service; disabled; vendor preset: disabled)
   Active: inactive (dead)
     Docs: https://docs.docker.com

我也尝试找到匹配的文本/规则,/etc但没有运气

[root@dan ~]# find /etc -type f -exec grep "192.168.122.0" {} /dev/null \;

如果我重新启动iptables,它会正确加载/etc/sysconfig/iptables,因此问题似乎出在启动顺序中。

[root@dan ~]# systemctl restart iptables
[root@dan ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

关于如何调试这个的任何想法或见解?

相关内容