无法更新 CentOS 服务器中的 iptables

无法更新 CentOS 服务器中的 iptables

当我尝试在 CentOS 中更新 iptables 时,我收到以下错误:

Another app is currently holding the xtables lock. Perhaps you want to use the -w option?

“-w”选项真的有效吗?我可以在以下脚本的哪里添加它?

#!/bin/bash
# Purpose: Block all traffic from AFGHANISTAN (af) and CHINA (CN). Use ISO code. #
# See url for more info - http://www.cyberciti.biz/faq/?p=3402
# Author: nixCraft <www.cyberciti.biz> under GPL v.2.0+
# Páginas de IP's por país: http://www.ipdeny.com/ipblocks/
# -------------------------------------------------------------------------------
ISO="in af ru pl lt vn gb" 

### Set PATH ###
IPT=/sbin/iptables
WGET=/usr/bin/wget
EGREP=/bin/egrep

### No editing below ###
SPAMLIST="countrydrop"
ZONEROOT="/root/iptables"
DLROOT="http://www.ipdeny.com/ipblocks/data/countries"

cleanOldRules(){
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
}

# create a dir
[ ! -d $ZONEROOT ] && /bin/mkdir -p $ZONEROOT

# clean old rules
cleanOldRules

# create a new iptables list
$IPT -N $SPAMLIST

for c  in $ISO
do 
    # local zone file
    tDB=$ZONEROOT/$c.zone

    # get fresh zone file
    $WGET -O $tDB $DLROOT/$c.zone

    # country specific log message
    SPAMDROPMSG="$c Country Drop"

    # get 
    BADIPS=$(egrep -v "^#|^$" $tDB)
    for ipblock in $BADIPS
    do
       $IPT -A $SPAMLIST -s $ipblock -j LOG --log-prefix "$SPAMDROPMSG"
       $IPT -A $SPAMLIST -s $ipblock -j DROP
    done
done

# Drop everything 
$IPT -I INPUT -j $SPAMLIST
$IPT -I OUTPUT -j $SPAMLIST
$IPT -I FORWARD -j $SPAMLIST

# call your other iptable script
# /path/to/other/iptables.sh

exit 0

问候

海梅

答案1

“-w”选项真的有效吗?

大概: man iptables

 -w, --wait
      Wait for the xtables lock.  To prevent multiple instances of the program from running concurrently,  an  attempt  will  be  made  to
      obtain  an  exclusive  lock at launch.  By default, the program will exit if the lock cannot be obtained.  This option will make the
      program wait until the exclusive lock can be obtained.) 

我可以在以下脚本的哪里添加它?

iptables 命令的定义

IPT="/sbin/iptables -w"

答案2

该选项-w只是允许 iptables 等待锁定直到超时,但这不是根本原因的解决方案。

您的问题只是其他问题导致的结果。可能是其他脚本试图在更新您的脚本的同时更新您的 iptables 规则集。

您可以使用 ipset 以更优雅、更简单的方式实现防火墙规则集。在这种情况下,您还可以提高性能,因为规则越少,性能越高。您唯一会失去的是可理解的日志记录,但也有一个解决方法。

相关内容