使用这个 /etc/sysconfig/iptables:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j ACCEPT -s 192.168.3.0/24 -d 10.0.0.0/24
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
我的 FORWARD 链如下所示:
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 192.168.3.0/24 10.0.0.0/24
现在,当我启动 libvirtd FORWARD 链时,如下所示:
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 10.0.0.0/24 ctstate RELATED,ESTABLISHED
ACCEPT all -- 10.0.0.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT all -- 192.168.3.0/24 10.0.0.0/24
正如您所看到的,我的 192.168.3.0/24 规则是在 REJECT 之后进行的。
如何将 192.168.3.0/24 的规则放在 REJECT 前面?
答案1
-A用于追加和-我用于在规则列表的开头插入
答案2
我最终使用 libvirt 网络脚本钩子来解决了我的问题: libvirt 脚本钩子
# cat /etc/libvirt/hooks/network
#!/bin/bash
NAME=$1
TASK=$2
IPTABLES=/usr/sbin/iptables
if [ $NAME = "default" ] ;then
case "$TASK" in
# hook is called with <network_name> started begin -
started)
$IPTABLES -I FORWARD -s 192.168.3.0/24 -d 10.0.0.0/24 -j ACCEPT
;;
# hook is called with <network_name> stopped end -
stopped)
$IPTABLES -D FORWARD -s 192.168.3.0/24 -d 10.0.0.0/24 -j ACCEPT
;;
*)
echo "qemu hook called with unexpected options $*" >&2
;;
esac
fi
现在我的规则首先出现。我最喜欢的方式是这样的: libvirt nwfilter但我无法让它工作。