我在开发服务器上安装了最小版本的 CentOS 7,以便使用 kvm/qemu 虚拟化一些 Linux 客户机。
要使用 iptables 而不是firewalld
I installiptables-service
并执行:
systemctl stop firewalld
systemctl mask firewalld
systemctl enable iptables
systemctl start iptables
通过编辑 可禁用 SELinux /etc/sysconfig/selinux
。
我的 iptables 规则如下:
iptables -Z
iptables -F
iptables -X
iptables -t nat -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -A POSTROUTING -o enp6s0 -j MASQUERADE
iptables -A FORWARD -i enp6s0 -o virbr0 -j ACCEPT
现在我使用以下命令保存我的设置:
iptables-save > /etc/sysconfig/iptables
我的iptables-file
样子:
# Generated by iptables-save v1.4.21 on Thu Aug 20 10:46:40 2015
*mangle
:PREROUTING ACCEPT [16736:10889078]
:INPUT ACCEPT [1063:106860]
:FORWARD ACCEPT [15679:10784186]
:OUTPUT ACCEPT [570:71275]
:POSTROUTING ACCEPT [15728:10809742]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Thu Aug 20 10:46:40 2015
# Generated by iptables-save v1.4.21 on Thu Aug 20 10:46:40 2015
*filter
:INPUT ACCEPT [868:81772]
:FORWARD ACCEPT [8328:7311589]
:OUTPUT ACCEPT [233:32016]
-A FORWARD -i enp6s0 -o virbr0 -j ACCEPT
COMMIT
# Completed on Thu Aug 20 10:46:40 2015
# Generated by iptables-save v1.4.21 on Thu Aug 20 10:46:40 2015
*nat
:PREROUTING ACCEPT [1308:86998]
:INPUT ACCEPT [77:12475]
:OUTPUT ACCEPT [1:72]
:POSTROUTING ACCEPT [1228:74319]
-A POSTROUTING -o enp6s0 -j MASQUERADE
COMMIT
# Completed on Thu Aug 20 10:46:40 2015
快速检查一下我的规则现在是否正确:
[root@dev1 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
但重新启动服务器后,iptables 规则如下所示:
[root@dev1 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 10.0.1.0/24 ctstate RELATED,ESTABLISHED
ACCEPT all -- 10.0.1.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:bootpc
我不明白其他规则从何而来。
调用时iptables-restore -c /etc/sysconfig/iptables
显示预期的规则。
似乎保存的规则在启动时没有加载,或者“默认”规则没有被刷新,或者其他什么。
这是什么问题???我的头发慢慢开始变白了……
感谢您的快速回复:)
如上所述,iptables-services 是由我安装的:
[root@dev1 ~]# rpm -aq iptables-services
iptables-services-1.4.21-13.el7.x86_64
systemctl enable iptables.service
使用 而不是 使用 来启用服务systemctl enable iptables
似乎没有什么区别,因为链接的是相同的服务文件:
[root@dev1 ~]# systemctl disable iptables
rm '/etc/systemd/system/basic.target.wants/iptables.service'
[root@dev1 ~]# systemctl enable iptables.service
ln -s '/usr/lib/systemd/system/iptables.service' '/etc/systemd/system/basic.target.wants/iptables.service'
这是调用后 iptables 文件的内容
/usr/libexec/iptables/iptables.init save
[root@develcluster1 ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.21 on Fri Aug 21 14:34:04 2015
*nat
:PREROUTING ACCEPT [351490:22546787]
:INPUT ACCEPT [15751:2400243]
:OUTPUT ACCEPT [324:21186]
:POSTROUTING ACCEPT [304860:18293418]
-A POSTROUTING -o enp6s0 -j MASQUERADE
COMMIT
# Completed on Fri Aug 21 14:34:04 2015
# Generated by iptables-save v1.4.21 on Fri Aug 21 14:34:04 2015
*filter
:INPUT ACCEPT [505048:69178501]
:FORWARD ACCEPT [55815086:22035726185]
:OUTPUT ACCEPT [325986:56595531]
-A FORWARD -i enp6s0 -o virbr0 -j ACCEPT
COMMIT
# Completed on Fri Aug 21 14:34:04 2015
# Generated by iptables-save v1.4.21 on Fri Aug 21 14:34:04 2015
*mangle
:PREROUTING ACCEPT [109215513:66867793592]
:INPUT ACCEPT [505243:69203589]
:FORWARD ACCEPT [108710264:66798590873]
:OUTPUT ACCEPT [326323:56634790]
:POSTROUTING ACCEPT [109036066:66855179944]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Fri Aug 21 14:34:04 2015
重启后呼叫iptables -L
不显示我保存的规则:
[root@dev1 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 10.0.1.0/24 ctstate RELATED,ESTABLISHED
ACCEPT all -- 10.0.1.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:bootpc
也许我做错了什么。但我读到的每个帖子都是以同样的方式做的,应该可以正常工作。
如果您需要更多信息,请告诉我。
同时,我通过调用每次重启后必须调用的小脚本来帮助我。
#!/bin/sh
iptables -Z
iptables -F
iptables -X
iptables -t nat -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -A POSTROUTING -o enp6s0 -j MASQUERADE
iptables -A FORWARD -i enp6s0 -o virbr0 -j ACCEPT
iptables --flush
iptables-restore -c /etc/sysconfig/iptables
这不是什么好办法,但目前为止还是有效的。但可能不是最终的解决方案。
答案1
我认为您需要通过以下方式启用该服务:
systemctl enable iptables.service
您需要运行 iptables init 脚本来保存您的规则,如下所示:
/usr/libexec/iptables/iptables.init save
答案2
确保您已安装 iptables-services 包:
rpm -aq iptables-services
如果没有安装:
yum install iptables-services
然后,您可以使用服务命令来控制它,就像以前的 CentOS 版本一样:
service iptables save
save
、、、命令均能起作用stop
,并且应在启动时加载。start
restart
答案3
我通过在底部 /etc/rc.d/rc.local 中添加“service iptables stop \ iptables --flush”命令来解决这个问题
我的环境是 Centos 7 KVM,我的问题是 libvirt 会在重新启动时重新填充 iptables - 阻止对我的虚拟机的访问。
答案4
尝试这个:
systemctl stop firewalld
systemctl disable firewalld
systemctl mask --now firewalld
yum -y remove iptables-services
yum -y install iptables-services
systemctl start iptables
systemctl status iptables
echo '# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT' > /etc/sysconfig/iptables
现在在这里执行你的 iptables 规则
iptables-save > /etc/sysconfig/iptables
iptables-restore < /etc/sysconfig/iptables
systemctl restart iptables
systemctl restart iptables
systemctl enable iptables.service