问题:服务器重启后 iptables 重置为默认设置。
我正在尝试设置这样的规则:
iptables -I INPUT -p tcp --dport 3000 -j ACCEPT
之后我会这样做:
service iptables save
然后它会回复如下内容
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
之后我就运行了(只做过一次):
chkconfig iptables on
(我已读到必须这样做才能在重启后恢复设置)
之后我重新启动并运行以下命令:
systemctl list-unit-files | grep iptables
我看到 iptables.service 已启用,但是规则(打开端口 3000)不再起作用。
我该如何保留这些设置?
答案1
CentOS 7 使用防火墙D现在!使用--permanent
标志保存设置。
例子:
firewall-cmd --zone=public --add-port=3000/tcp --permanent
然后重新加载规则:
firewall-cmd --reload
答案2
通过以下命令禁用firewalld:
systemctl disable firewalld
然后通过以下命令安装 iptables-service:
yum install iptables-services
然后启用 iptables 作为服务:
systemctl enable iptables
现在您可以通过以下命令保存您的 iptable 规则:
service iptables save
答案3
在 CentOS 7 Minimal 上,你可能需要安装该iptables-services
软件包(感谢@RichieACC为了建议):
sudo yum install -y iptables-services
然后使用以下命令启用该服务systemd
:
sudo systemctl enable iptables.service
并运行 initscript 来保存您的防火墙规则:
sudo /usr/libexec/iptables/iptables.init save
答案4
也许这样的脚本对任何人都有帮助?
请注意,你将丢失当前配置的任何内容,因为它会删除防火墙并刷新 INPUT 表中的所有当前规则:
yum remove firewalld && yum install iptables-services
iptables --flush INPUT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Any packages related to an existing connection are OK
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT # ssh is OK
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 3000 -j ACCEPT # Port 3000 for IPv4 is OK
iptables -A INPUT -j REJECT # any other traffic is not welcome - this should be the last line
service iptables save # Save IPv4 IPTABLES rules van memory naar disk
systemctl enable iptables # To make sure the IPv4 rules are reloaded at system startup
我想你也希望如此,以防你的系统(现在或以后任何时候)被 IPv6 流量到达:
ip6tables --flush INPUT
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Any packages related to an existing connection are OK
ip6tables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT # ssh is OK
ip6tables -A INPUT -m state --state NEW -m tcp -p tcp --dport 3000 -j ACCEPT # Port 3000 for IPv6 is OK
ip6tables -A INPUT -j REJECT # any other traffic is not welcome - this should be the last line
service ip6tables save # Save IPv6 IPTABLES rules van memory naar disk
systemctl enable ip6tables # To make sure the IPv6 rules are reloaded at system startup