启动“netfilter 持久性“,则失败,如下所示:
May 10 19:41:53 debian systemd[1]: Starting netfilter persistent configuration...
-- Subject: Unit netfilter-persistent.service has begun with start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit netfilter-persistent.service has begun starting up.
May 10 19:41:53 debian netfilter-persistent[3099]: run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables start
May 10 19:41:53 debian netfilter-persistent[3099]: run-parts: /usr/share/netfilter-persistent/plugins.d/15-ip4tables exited with return code 2
May 10 19:41:53 debian netfilter-persistent[3099]: run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables start
May 10 19:41:53 debian systemd[1]: netfilter-persistent.service: main process exited, code=exited, status=1/FAILURE
May 10 19:41:53 debian systemd[1]: Failed to start netfilter persistent configuration.
-- Subject: Unit netfilter-persistent.service has failed
这是错误输出中引用的以下脚本:
#!/bin/sh
# This file is part of netfilter-persistent
# (was iptables-persistent)
# Copyright (C) 2009, Simon Richter <[email protected]>
# Copyright (C) 2010, 2014 Jonathan Wiltshire <[email protected]>
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation, either version 3
# of the License, or (at your option) any later version.
exit 0
set -e
rc=0
load_rules()
{
#load IPv6 rules
if [ ! -f /etc/iptables/rules.v6 ]; then
echo "Warning: skipping IPv6 (no rules to load)"
exit 0
else
ip6tables-restore < /etc/iptables/rules.v6 2> /dev/null
if [ $? -ne 0 ]; then
rc=1
fi
fi
}
save_rules()
{
#save IPv6 rules
#need at least ip6table_filter loaded:
/sbin/modprobe -q ip6table_filter
if [ ! -f /proc/net/ip6_tables_names ]; then
log_action_cont_msg "Warning: skipping IPv6 (no modules loaded)"
elif [ -x /sbin/ip6tables-save ]; then
touch /etc/iptables/rules.v6
chmod 0640 /etc/iptables/rules.v6
ip6tables-save > /etc/iptables/rules.v6
if [ $? -ne 0 ]; then
rc=1
fi
fi
}
flush_rules()
{
if [ ! -f /proc/net/ip6_tables_names ]; then
echo "Warning: skipping IPv6 (no module loaded)"
elif [ -x /sbin/ip6tables ]; then
for param in F Z X; do /sbin/ip6tables -$param; done
for table in $(cat /proc/net/ip6_tables_names)
do
/sbin/ip6tables -t $table -F
/sbin/ip6tables -t $table -Z
/sbin/ip6tables -t $table -X
done
for chain in INPUT FORWARD OUTPUT
do
/sbin/ip6tables -P $chain ACCEPT
done
fi
}
case "$1" in
start|restart|reload|force-reload)
load_rules
;;
save)
save_rules
;;
stop)
# Why? because if stop is used, the firewall gets flushed for a variable
# amount of time during package upgrades, leaving the machine vulnerable
# It's also not always desirable to flush during purge
echo "Automatic flushing disabled, use \"flush\" instead of \"stop\""
;;
flush)
flush_rules
;;
*)
echo "Usage: $0 {start|restart|reload|force-reload|save|flush}" >&2
exit 1
;;
esac
exit $rc
答案1
快速解决
-j ULOG
就我的情况而言,文件中的规则被破坏了/etc/iptables/rules.v4
。删除该行并重新运行apt-get upgrade
可以解决此问题。
如何调试
错误在这里:
May 10 19:41:53 debian netfilter-persistent[3099]: run-parts: /usr/share/netfilter-persistent/plugins.d/15-ip4tables exited with return code 2
您可以以 root 身份运行它来调试它:
/usr/share/netfilter-persistent/plugins.d/15-ip4tables start
/usr/share/netfilter-persistent/plugins.d/15-ip4tables
经过检查,发现这个可疑的错误命令的来源是:
/sbin/iptables-restore < /etc/iptables/rules.v4 2> /dev/null
您也可以单独运行它:
/sbin/iptables-restore -v < /etc/iptables/rules.v4
报告的断行毫无用处,所以我只是在 shell 中用前缀运行这些行iptables
来获取有用的东西。例如,对于行
-A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
你可以跑
iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
答案2
就我而言,该问题仅在启动时出现,只要我手动操作,它就会iptables-restore < /etc/iptables/rules.v4
起作用。
因此,为了找出问题所在,我改变了 load_rules 方法以/usr/share/netfilter-persistent/plugins.d/15-ip4tables
写入日志文件。
之前的代码:
load_rules()
{
#load IPv4 rules
if [ ! -f /etc/iptables/rules.v4 ]; then
echo "Warning: skipping IPv4 (no rules to load)"
else
/sbin/iptables-restore < /etc/iptables/rules.v4 2> /dev/null
if [ $? -ne 0 ]; then
rc=1
fi
fi
}
后:
load_rules()
{
#load IPv4 rules
if [ ! -f /etc/iptables/rules.v4 ]; then
echo "Warning: skipping IPv4 (no rules to load)"
else
/sbin/iptables-restore -v < /etc/iptables/rules.v4 2>> /var/log/netfilter-debug
if [ $? -ne 0 ]; then
rc=1
fi
fi
}
它给我的输出如下/var/log/netfilter-debug
:
iptables-restore: line 48 failed
这样我就知道该去哪里找了。有趣的是,有问题的行是 COMMIT... 仍在调查这是为什么。