我在 iptables 中有一个规则,它调用我用 ipset 创建的黑名单。我的规则是
-A INPUT -m set --match-set blacklist src -m comment --comment "BLACKLISTED TRAFFIC" -j DROP
重启后它不会持久。这导致 iptables 无法在启动时启动,因为没有黑名单。我用来生成列表的命令是
/usr/sbin/ipset restore < /etc/ipset-blacklist/ip-blacklist.restore
为了让 iptables 启动,我像这样设置 /usr/lib/systemd/system/iptables.service
[Unit]
Description=IPv4 firewall with iptables
Before=ip6tables.service
After=syslog.target
AssertPathExists=/etc/sysconfig/iptables
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStartPre=/usr/sbin/ipset restore < /etc/ipset-blacklist/ip-blacklist.restore
ExecStart=/usr/libexec/iptables/iptables.init start
ExecReload=/usr/libexec/iptables/iptables.init reload
ExecStop=/usr/libexec/iptables/iptables.init stop
Environment=BOOTUP=serial
Environment=CONSOLETYPE=serial
StandardOutput=syslog
StandardError=syslog
[Install]
WantedBy=basic.target
如果我做了
systemctl start iptables.service
我回复说:
ipset[26566]: ipset v6.38: Unknown argument <
现在,如果我将 iptables.service 修改如下
[Unit]
Description=IPv4 firewall with iptables
Before=ip6tables.service
After=syslog.target
AssertPathExists=/etc/sysconfig/iptables
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStartPre=ipset restore < /etc/ipset-blacklist/ip-blacklist.restore
ExecStart=/usr/libexec/iptables/iptables.init start
ExecReload=/usr/libexec/iptables/iptables.init reload
ExecStop=/usr/libexec/iptables/iptables.init stop
Environment=BOOTUP=serial
Environment=CONSOLETYPE=serial
StandardOutput=syslog
StandardError=syslog
[Install]
WantedBy=basic.target
然后我收到一个错误
iptables: Applying firewall rules: iptables-restore v1.4.21: Set blacklist doesn't exist
因此看起来 ExecStartPre 并未运行。有什么建议吗?
答案1
尝试
ExecStartPre=/bin/sh -c "/usr/sbin/ipset restore < /etc/ipset-blacklist/ip-blacklist.restore"