假设有几个iptables脚本(在启动时运行),所有这些脚本都运行类似iptables -A ...添加规则的内容。我认为这可以改进,将所有这些 shell 脚本转换为iptables-save.
但我一定做错了什么,试图阅读所有这些规则集。在启动时运行的脚本将循环遍历这些文件并使用iptables-restore.当然用-n或--noflush。这适用于某些规则(存储在默认链中),但不适用于其他链中的大多数规则。下面是两个相互刷新的规则集的示例(读取集 a,检查;读取集 b,检查但集 a 消失)。
你会如何阅读一堆 iptables 规则集?
例子:
$ cat fake1-a.rules
*nat
:PREROUTING ACCEPT [7:997]
:INPUT ACCEPT [7:997]
:OUTPUT ACCEPT [28:1810]
:POSTROUTING ACCEPT [28:1810]
COMMIT
*mangle
:PREROUTING ACCEPT [344:84621]
:INPUT ACCEPT [344:84621]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [296:37971]
:POSTROUTING ACCEPT [296:37971]
COMMIT
*filter
:INPUT ACCEPT [102:26513]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [89:10767]
:TESTCHAIN - [0:0]
-A TESTCHAIN -p tcp -m tcp --dport 12345 -j DROP
COMMIT
$ cat fake1-b.rules
*nat
:PREROUTING ACCEPT [7:997]
:INPUT ACCEPT [7:997]
:OUTPUT ACCEPT [28:1810]
:POSTROUTING ACCEPT [28:1810]
COMMIT
*mangle
:PREROUTING ACCEPT [344:84621]
:INPUT ACCEPT [344:84621]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [296:37971]
:POSTROUTING ACCEPT [296:37971]
COMMIT
*filter
:INPUT ACCEPT [102:26513]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [89:10767]
:TESTCHAIN - [0:0]
-A TESTCHAIN -p tcp -m tcp --dport 54321 -j DROP
COMMIT
# cat fake1-a.rules | iptables-restore --noflush
# iptables -nL | grep DROP
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:12345
# cat fake1-b.rules | iptables-restore --noflush
# iptables -nL | grep DROP
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:54321
答案1
--noflush的选项不适iptables-restore用于用户定义的链,例如TESTCHAIN,仅适用于内置链。最好的选择是将所有TESTCHAIN规则合并到一个文件中,并使用iptables-restore.您可以找到类似以下内容的所有规则:
egrep -r "\sTESTCHAIN\s" firewall_rules_directory/*