iptables开机规则恢复疑问
本帖最后由 linuxlearning4RMB 于 2016-05-31 20:09 编辑iptables开机规则恢复疑问
第一步,清除所有的规则
3 iptables -F
4 iptables -X
5 iptables -Z
6 iptables -t nat -F
7 iptables -t nat -X
8 iptables -t nat -Z
9 iptables -t mangle -F
10 iptables -t mangle -X
11 iptables -t mangle -Z
第二步,保存规则
service iptables save
实际上是保存到/etc/sysconfig/iptables
根据网上说的,reboot以后 机器会 自动 通过iptables-restore把/etc/sysconfig/iptables恢复回去
/sbin/service iptables save
This executes the iptables init script, which runs the /sbin/iptables-save program and writes the current iptables configuration to /etc/sysconfig/iptables. The existing /etc/sysconfig/iptables file is saved as /etc/sysconfig/iptables.save.
The next time the system boots, the iptables init script reapplies the rules saved in /etc/sysconfig/iptables by using the /sbin/iptables-restore command.
但是,我重启以后,实际上,机器并没有恢复我们原来保存的规则,而是出来一些很奇怪的规则:
# iptables -vnL
Chain INPUT (policy ACCEPT 74 packets, 7368 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp--virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp--virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp--virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp--virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all--* virbr00.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all--virbr0 * 192.168.122.0/24 0.0.0.0/0
0 0 ACCEPT all--virbr0 virbr00.0.0.0/0 0.0.0.0/0
0 0 REJECT all--* virbr00.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all--virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 69 packets, 8540 bytes)
pkts bytes target prot opt in out source destination
请问:
为什么reboot以后iptables不是空的(第一、第二步已经清空保存了)?
virbr0这个网卡是怎么回事,实际上并没有与之对应的物理网卡?
附件:/etc/sysconfig/iptables文件内容
# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.21 on Tue May 31 19:39:51 2016
*raw
:PREROUTING ACCEPT
:OUTPUT ACCEPT
COMMIT
# Completed on Tue May 31 19:39:51 2016
# Generated by iptables-save v1.4.21 on Tue May 31 19:39:51 2016
*nat
:PREROUTING ACCEPT
:INPUT ACCEPT
:OUTPUT ACCEPT
:POSTROUTING ACCEPT
COMMIT
# Completed on Tue May 31 19:39:51 2016
# Generated by iptables-save v1.4.21 on Tue May 31 19:39:51 2016
*mangle
:PREROUTING ACCEPT
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
:POSTROUTING ACCEPT
COMMIT
# Completed on Tue May 31 19:39:51 2016
# Generated by iptables-save v1.4.21 on Tue May 31 19:39:51 2016
*filter
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
COMMIT
# Completed on Tue May 31 19:39:51 2016
这应该是其它服务加载的规则,看样子也flush掉了restore的规则。
vbri0跟虚拟化有关系,可能是docker或者kvm相关的服务启动的。 回复 2# nswcfd
嗯,是的。这个有可能。有些模块,可能自己维护自己的 iptables 规则,而不走 sysconfig。
页:
[1]