CentOS 7 iptables 在重启后不持久

tag-icon tag-icon linux centos iptables
CentOS 7 iptables 在重启后不持久

我在开发服务器上安装了最小版本的 CentOS 7,以便使用 kvm/qemu 虚拟化一些 Linux 客户机。

要使用 iptables 而不是firewalldI installiptables-service并执行:

systemctl stop firewalld
systemctl mask firewalld
systemctl enable iptables
systemctl start iptables

通过编辑 可禁用 SELinux /etc/sysconfig/selinux

我的 iptables 规则如下:

iptables -Z
iptables -F
iptables -X
iptables -t nat -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -A POSTROUTING -o enp6s0 -j MASQUERADE
iptables -A FORWARD -i enp6s0 -o virbr0 -j ACCEPT

现在我使用以下命令保存我的设置:

iptables-save > /etc/sysconfig/iptables

我的iptables-file样子:

# Generated by iptables-save v1.4.21 on Thu Aug 20 10:46:40 2015
*mangle
:PREROUTING ACCEPT [16736:10889078]
:INPUT ACCEPT [1063:106860]
:FORWARD ACCEPT [15679:10784186]
:OUTPUT ACCEPT [570:71275]
:POSTROUTING ACCEPT [15728:10809742]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Thu Aug 20 10:46:40 2015
# Generated by iptables-save v1.4.21 on Thu Aug 20 10:46:40 2015
*filter
:INPUT ACCEPT [868:81772]
:FORWARD ACCEPT [8328:7311589]
:OUTPUT ACCEPT [233:32016]
-A FORWARD -i enp6s0 -o virbr0 -j ACCEPT
COMMIT
# Completed on Thu Aug 20 10:46:40 2015
# Generated by iptables-save v1.4.21 on Thu Aug 20 10:46:40 2015
*nat
:PREROUTING ACCEPT [1308:86998]
:INPUT ACCEPT [77:12475]
:OUTPUT ACCEPT [1:72]
:POSTROUTING ACCEPT [1228:74319]
-A POSTROUTING -o enp6s0 -j MASQUERADE
COMMIT
# Completed on Thu Aug 20 10:46:40 2015

快速检查一下我的规则现在是否正确:

[root@dev1 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

但重新启动服务器后,iptables 规则如下所示:

[root@dev1 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             10.0.1.0/24          ctstate RELATED,ESTABLISHED
ACCEPT     all  --  10.0.1.0/24          anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc

我不明白其他规则从何而来。

调用时iptables-restore -c /etc/sysconfig/iptables显示预期的规则。

似乎保存的规则在启动时没有加载,或者“默认”规则没有被刷新,或者其他什么。

这是什么问题???我的头发慢慢开始变白了……

感谢您的快速回复:)

如上所述,iptables-services 是由我安装的:

[root@dev1 ~]# rpm -aq iptables-services
iptables-services-1.4.21-13.el7.x86_64

systemctl enable iptables.service使用 而不是 使用 来启用服务systemctl enable iptables似乎没有什么区别,因为链接的是相同的服务文件:

[root@dev1 ~]# systemctl disable iptables
rm '/etc/systemd/system/basic.target.wants/iptables.service'
[root@dev1 ~]# systemctl enable iptables.service
ln -s '/usr/lib/systemd/system/iptables.service' '/etc/systemd/system/basic.target.wants/iptables.service'

这是调用后 iptables 文件的内容 /usr/libexec/iptables/iptables.init save

[root@develcluster1 ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.21 on Fri Aug 21 14:34:04 2015
*nat
:PREROUTING ACCEPT [351490:22546787]
:INPUT ACCEPT [15751:2400243]
:OUTPUT ACCEPT [324:21186]
:POSTROUTING ACCEPT [304860:18293418]
-A POSTROUTING -o enp6s0 -j MASQUERADE
COMMIT
# Completed on Fri Aug 21 14:34:04 2015
# Generated by iptables-save v1.4.21 on Fri Aug 21 14:34:04 2015
*filter
:INPUT ACCEPT [505048:69178501]
:FORWARD ACCEPT [55815086:22035726185]
:OUTPUT ACCEPT [325986:56595531]
-A FORWARD -i enp6s0 -o virbr0 -j ACCEPT
COMMIT
# Completed on Fri Aug 21 14:34:04 2015
# Generated by iptables-save v1.4.21 on Fri Aug 21 14:34:04 2015
*mangle
:PREROUTING ACCEPT [109215513:66867793592]
:INPUT ACCEPT [505243:69203589]
:FORWARD ACCEPT [108710264:66798590873]
:OUTPUT ACCEPT [326323:56634790]
:POSTROUTING ACCEPT [109036066:66855179944]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Fri Aug 21 14:34:04 2015

重启后呼叫iptables -L不显示我保存的规则:

[root@dev1 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             10.0.1.0/24          ctstate RELATED,ESTABLISHED
ACCEPT     all  --  10.0.1.0/24          anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc

也许我做错了什么。但我读到的每个帖子都是以同样的方式做的,应该可以正常工作。

如果您需要更多信息,请告诉我。

同时,我通过调用每次重启后必须调用的小脚本来帮助我。

#!/bin/sh

iptables -Z
iptables -F
iptables -X
iptables -t nat -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -A POSTROUTING -o enp6s0 -j MASQUERADE
iptables -A FORWARD -i enp6s0 -o virbr0 -j ACCEPT

iptables --flush
iptables-restore -c /etc/sysconfig/iptables

这不是什么好办法,但目前为止还是有效的。但可能不是最终的解决方案。

答案1

我认为您需要通过以下方式启用该服务:

systemctl enable iptables.service

您需要运行 iptables init 脚本来保存您的规则,如下所示:

/usr/libexec/iptables/iptables.init save

答案2

确保您已安装 iptables-services 包:

rpm -aq iptables-services

如果没有安装:

yum install iptables-services

然后,您可以使用服务命令来控制它,就像以前的 CentOS 版本一样:

service iptables save

save、、、命令均能起作用stop,并且应在启动时加载。startrestart

答案3

我通过在底部 /etc/rc.d/rc.local 中添加“service iptables stop \ iptables --flush”命令来解决这个问题

我的环境是 Centos 7 KVM,我的问题是 libvirt 会在重新启动时重新填充 iptables - 阻止对我的虚拟机的访问。

答案4

尝试这个:

systemctl stop firewalld
systemctl disable firewalld
systemctl mask --now firewalld
yum -y remove iptables-services
yum -y install iptables-services
systemctl start iptables
systemctl status iptables

echo '# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT' > /etc/sysconfig/iptables

现在在这里执行你的 iptables 规则

iptables-save > /etc/sysconfig/iptables
iptables-restore < /etc/sysconfig/iptables
systemctl restart iptables
systemctl restart iptables
systemctl enable iptables.service

相关内容