尽管 netfilter-persistent 是一项已启用的服务，但 iptables 规则在重启时未应用

2024-6-5 • tag-icon

尽管 netfilter-persistent 是一项已启用的服务，但 iptables 规则在重启时未应用

我的目标是在启动时加载一组iptables规则。我正在运行 Ubuntu 20.04.1。

我在中定义了一组iptables规则/etc/iptables/rules.v4。我安装了iptables-persistent和netfilter-persistent。后者是一项已启用的systemd服务，它在重新启动后成功运行，如systemctl status netfilter-persistent所示，但在中定义的规则/etc/iptables/rules.v4是不是重启后应用。

至关重要的是：手动重启服务 ( systemctl restart netfilter-persistent) 会导致规则被加载。服务正常运行，规则有效。就好像在netfilter-persistent运行并退出后，其他服务也随之而来，抹去了规则。

有人有什么想法吗？我不知道该怎么做，因为似乎没有其他人遇到这个问题。

如果任何其他详细信息有帮助，请告诉我。我感觉好像我疯了。

编辑：其内容/etc/iptables/rules.v4为：

*nat
:PREROUTING ACCEPT [29:8848]
:INPUT ACCEPT [29:8848]
:OUTPUT ACCEPT [6720:404317]
:POSTROUTING ACCEPT [96:8382]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -o enp39s0 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
COMMIT
*filter
:INPUT ACCEPT [9418:3194873]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [17003:1327822]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
COMMIT

启动后iptables --list -v返回：

Chain INPUT (policy ACCEPT 5587 packets, 1329K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER-USER  all  --  any    any     anywhere             anywhere            
    0     0 DOCKER-ISOLATION-STAGE-1  all  --  any    any     anywhere             anywhere            
    0     0 ACCEPT     all  --  any    docker0  anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  any    docker0  anywhere             anywhere            
    0     0 ACCEPT     all  --  docker0 !docker0  anywhere             anywhere            
    0     0 ACCEPT     all  --  docker0 docker0  anywhere             anywhere            
    0     0 ACCEPT     all  --  wg0    any     anywhere             anywhere            

Chain OUTPUT (policy ACCEPT 6845 packets, 956K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  anywhere             anywhere            
    0     0 RETURN     all  --  any    any     anywhere             anywhere            

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  any    docker0  anywhere             anywhere            
    0     0 RETURN     all  --  any    any     anywhere             anywhere            

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  any    any     anywhere             anywhere

特别注意，FORWARD 策略是 DROP，而不是 ACCEPT，并且wg0添加了 WireGuard（）规则。

相关内容