快速解决

tag-icon tag-icon iptables debian-jessie
快速解决

启动“netfilter 持久性“,则失败,如下所示:

May 10 19:41:53 debian systemd[1]: Starting netfilter persistent configuration...
-- Subject: Unit netfilter-persistent.service has begun with start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit netfilter-persistent.service has begun starting up.
May 10 19:41:53 debian netfilter-persistent[3099]: run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables start
May 10 19:41:53 debian netfilter-persistent[3099]: run-parts: /usr/share/netfilter-persistent/plugins.d/15-ip4tables exited with return code 2
May 10 19:41:53 debian netfilter-persistent[3099]: run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables start
May 10 19:41:53 debian systemd[1]: netfilter-persistent.service: main process exited, code=exited, status=1/FAILURE
May 10 19:41:53 debian systemd[1]: Failed to start netfilter persistent configuration.
-- Subject: Unit netfilter-persistent.service has failed

这是错误输出中引用的以下脚本:

#!/bin/sh

# This file is part of netfilter-persistent
# (was iptables-persistent)
# Copyright (C) 2009, Simon Richter <[email protected]>
# Copyright (C) 2010, 2014 Jonathan Wiltshire <[email protected]>
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation, either version 3
# of the License, or (at your option) any later version.

exit 0

set -e

rc=0

load_rules()
{
        #load IPv6 rules
        if [ ! -f /etc/iptables/rules.v6 ]; then
                echo "Warning: skipping IPv6 (no rules to load)"
                exit 0
        else
                ip6tables-restore < /etc/iptables/rules.v6 2> /dev/null
                if [ $? -ne 0 ]; then
                        rc=1
                fi
        fi
}

save_rules()
{
        #save IPv6 rules
        #need at least ip6table_filter loaded:
        /sbin/modprobe -q ip6table_filter
        if [ ! -f /proc/net/ip6_tables_names ]; then
                log_action_cont_msg "Warning: skipping IPv6 (no modules loaded)"
        elif [ -x /sbin/ip6tables-save ]; then
                touch /etc/iptables/rules.v6
                chmod 0640 /etc/iptables/rules.v6
                ip6tables-save > /etc/iptables/rules.v6
                if [ $? -ne 0 ]; then
                        rc=1
                fi
        fi
}

flush_rules()
{
        if [ ! -f /proc/net/ip6_tables_names ]; then
                echo "Warning: skipping IPv6 (no module loaded)"
        elif [ -x /sbin/ip6tables ]; then
                for param in F Z X; do /sbin/ip6tables -$param; done
                for table in $(cat /proc/net/ip6_tables_names)
                do
                        /sbin/ip6tables -t $table -F
                        /sbin/ip6tables -t $table -Z
                        /sbin/ip6tables -t $table -X
                done
                for chain in INPUT FORWARD OUTPUT
                do
                        /sbin/ip6tables -P $chain ACCEPT
                done
        fi
}

case "$1" in
start|restart|reload|force-reload)
        load_rules
        ;;
save)
        save_rules
        ;;
stop)
        # Why? because if stop is used, the firewall gets flushed for a variable
        # amount of time during package upgrades, leaving the machine vulnerable
        # It's also not always desirable to flush during purge
        echo "Automatic flushing disabled, use \"flush\" instead of \"stop\""
        ;;
flush)
        flush_rules
        ;;
*)
    echo "Usage: $0 {start|restart|reload|force-reload|save|flush}" >&2
    exit 1
    ;;
esac

exit $rc

答案1

快速解决

-j ULOG就我的情况而言,文件中的规则被破坏了/etc/iptables/rules.v4。删除该行并重新运行apt-get upgrade可以解决此问题。

如何调试

错误在这里:

May 10 19:41:53 debian netfilter-persistent[3099]: run-parts: /usr/share/netfilter-persistent/plugins.d/15-ip4tables exited with return code 2

您可以以 root 身份运行它来调试它:

/usr/share/netfilter-persistent/plugins.d/15-ip4tables start

/usr/share/netfilter-persistent/plugins.d/15-ip4tables经过检查,发现这个可疑的错误命令的来源是:

/sbin/iptables-restore < /etc/iptables/rules.v4 2> /dev/null

您也可以单独运行它:

/sbin/iptables-restore -v < /etc/iptables/rules.v4

报告的断行毫无用处,所以我只是在 shell 中用前缀运行这些行iptables来获取有用的东西。例如,对于行

-A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -j ACCEPT

你可以跑

iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -j ACCEPT

答案2

就我而言,该问题仅在启动时出现,只要我手动操作,它就会iptables-restore < /etc/iptables/rules.v4起作用。

因此,为了找出问题所在,我改变了 load_rules 方法以/usr/share/netfilter-persistent/plugins.d/15-ip4tables写入日志文件。

之前的代码:

load_rules()
{
        #load IPv4 rules
        if [ ! -f /etc/iptables/rules.v4 ]; then
                echo "Warning: skipping IPv4 (no rules to load)"
        else
                /sbin/iptables-restore < /etc/iptables/rules.v4 2> /dev/null
                if [ $? -ne 0 ]; then
                        rc=1
                fi
        fi
}

后:

load_rules()
{
        #load IPv4 rules
        if [ ! -f /etc/iptables/rules.v4 ]; then
                echo "Warning: skipping IPv4 (no rules to load)"
        else
                /sbin/iptables-restore -v < /etc/iptables/rules.v4 2>> /var/log/netfilter-debug
                if [ $? -ne 0 ]; then
                        rc=1
                fi
        fi
}

它给我的输出如下/var/log/netfilter-debug

iptables-restore: line 48 failed

这样我就知道该去哪里找了。有趣的是,有问题的行是 COMMIT... 仍在调查这是为什么。

相关内容