大家救救我阿..iptables不能保存

szhw520

大家好！小弟配置了iptables .想在公司里面给服务器安装下，然后做些策略。可是策略都搞好了，如果一条一条地在bash里面加入就可以..
可当我重启iptables 的时候，就会恢复成一个iptables文件里面都是这些行:
# Generated by iptables-save v1.4.1.1 on Wed Dec 24 02:09:08 2008
*nat
REROUTING ACCEPT [229:34076]
OSTROUTING ACCEPT [110:7392]
:OUTPUT ACCEPT [110:7392]
[0:0] -A POSTROUTING -s 192.168.122.0/24 -d ! 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Wed Dec 24 02:09:08 2008
# Generated by iptables-save v1.4.1.1 on Wed Dec 24 02:09:08 2008
*mangle
REROUTING ACCEPT [8942:1066240]
:INPUT ACCEPT [8942:1066240]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [7774:879339]
OSTROUTING ACCEPT [7774:879339]
COMMIT
# Completed on Wed Dec 24 02:09:08 2008
# Generated by iptables-save v1.4.1.1 on Wed Dec 24 02:09:08 2008
*filter
:INPUT ACCEPT [8942:1066240]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [7774:879339]
[0:0] -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
[0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
[0:0] -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
[0:0] -A INPUT -s 192.168.0.8/32 -j ACCEPT
[0:0] -A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
[0:0] -A FORWARD -i virbr0 -o virbr0 -j ACCEPT
[0:0] -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
[0:0] -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Wed Dec 24 02:09:08 2008


为什么会这样，原来的策略很长的，我在vi里面保存了一下。然后重启了service iptables restart  就会变成以上的文件。
我查看/etc/sysconfig/里面有很多.iptables.conf.swp ／.iptables.config.swi 等文件。它们怎么删除不掉啊？
源文件载下来的一些：
# Generated by iptables-save v1.4.1.1 on Tue Dec 23 13:16:04 2008
*nat
REROUTING ACCEPT [43869:2698271]
OSTROUTING ACCEPT [1050:70277]
:OUTPUT ACCEPT [1050:70277]
COMMIT
# Completed on Tue Dec 23 13:16:04 2008
# Generated by iptables-save v1.4.1.1 on Tue Dec 23 13:16:04 2008
*mangle
REROUTING ACCEPT [67690:12749105]
:INPUT ACCEPT [67690:12749105]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [51529:2974597]
OSTROUTING ACCEPT [51529:2974597]
COMMIT
# Completed on Tue Dec 23 13:16:04 2008
# Generated by iptables-save v1.4.1.1 on Tue Dec 23 13:16:04 2008
*filter
:INPUT ACCEPT [67688:12749009]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [49897:2754008]
[0:0] -A FORWARD -p tcp -m multiport --dports 25 -j ACCEPT
[0:0] -A FORWARD -p tcp -m multiport --dports 110 -j ACCEPT
[0:0] -A FORWARD -p udp -m multiport --dports 25 -j ACCEPT
[0:0] -A FORWARD -p udp -m multiport --dports 110 -j ACCEPT
[0:0] -A FORWARD -p udp -m multiport --dports 53 -j ACCEPT
[0:0] -A FORWARD -p tcp -m multiport --dports 53 -j ACCEPT
[0:0] -A FORWARD -s 192.168.0.9/32 -j DROP
[0:0] -A FORWARD -s 192.168.0.10/32 -j DROP
[0:0] -A FORWARD -s 192.168.0.11/32 -j DROP
[0:0] -A FORWARD -s 192.168.0.12/32 -j DROP
[0:0] -A FORWARD -s 192.168.0.13/32 -j DROP
[0:0] -A FORWARD -s 192.168.0.14/32 -j DROP
[0:0] -A FORWARD -s 192.168.0.15/32 -j DROP
[0:0] -A FORWARD -s 192.168.0.16/32 -j ACCEPT
[0:0] -A FORWARD -s 192.168.0.20/32 -j DROP
[0:0] -A FORWARD -s 192.168.0.8/32 -p tcp -m multiport --dports 80 -j ACCEPT
[0:0] -A FORWARD -s 192.168.0.8/32 -p tcp -m multiport --dports 80,225 -j ACCEPT
[0:0] -A FORWARD -s 192.168.0.17/32 -p tcp -m multiport --dports 25,53,80,110,443,1863,8000,8001,8002,8080 -j ACCEPT
[0:0] -A FORWARD -s 192.168.0.18/32 -p tcp -m multiport --dports 25,53,80,110,443,1863,8000,8001,8002,8080 -j ACCEPT
[0:0] -A FORWARD -s 192.168.0.19/32 -p tcp -m multiport --dports 25,53,80,110,443,1863,8000,8001,8002,8080 -j ACCEPT
[0:0] -A FORWARD -s 192.168.0.20/32 -j DROP
[0:0] -A FORWARD -s 192.168.0.21/32 -p tcp -m multiport --dports 25,53,80,110,443,1863,8000,8001,8002,8080 -j ACCEPT
[0:0] -A FORWARD -s 192.168.0.22/32 -p tcp -m multiport --dports 25,53,80,110,443,1863,8000,8001,8002,8080 -j ACCEPT
[0:0] -A FORWARD -s 192.168.0.23/32 -p tcp -m multiport --dports 25,53,80,110,443,1863,8000,8001,8002,8080 -j ACCEPT
[0:0] -A FORWARD -s 192.168.0.24/32 -p tcp -m multiport --dports 25,53,80,110,443,1863,8000,8001,8002,8080 -j ACCEPT
[0:0] -A FORWARD -s 192.168.0.25/32 -p tcp -m multiport --dports 25,53,80,110,443,1863,8000,8001,8002,8080 -j ACCEPT
[0:0] -A FORWARD -s 192.168.0.26/32 -p tcp -m multiport --dports 25,53,80,110,443,1863,8000,8001,8002,8080 -j ACCEPT
[0:0] -A FORWARD -s 192.168.0.27/32 -j DROP
[0:0] -A FORWARD -s 192.168.0.28/32 -j DROP
[0:0] -A FORWARD -s 192.168.0.29/32 -j DROP


救救我。

vermouth

service iptables save
.iptables.conf.swp 这类文件是用 vi 编辑失败产生的备份文件，不用可以 rm 掉。

szhw520

噢，那怎么保存iptables策略阿

szhw520

没有人理我？郁闷

emmoblin

iptables-save 和iptables-restore
就是把配置保存下来。
相当于写到配置文件中。
当然了，你也可以从新执行一遍脚本也能恢复配置

szhw520

我试了好几次了，都不行啊，不知道怎么回事，我把里面的内容会清除了，iptables-save 保存了，再往里面写入内容后，再重启iptables ,竟然跑出和我要的内容不相关的

kns1024wh

正确的是iptables-save > /etc/sysconfig/iptables

szhw520

我现在就是试一下，还有那个iptables-restore 的按了一下，下面的就会一直在闪，等了好久还是没有变化，是什么回事？
对了，为什么我把iptables 里面的内容全清除了，然后再插入已做好的内容，用iptales-save 然后重新启动，那里面的内容竟然神奇得变成其它的内容了，不知道它调用的是哪个文件？感觉/etc/sysconfig/那里面有很多.iptables.old 还有iptables.save .iptables.swi的文件。。每次都不成功。。。

emmoblin

iptables-save的输出重定向到 /etc/sysconfig/iptables
这个文件才行， 服务在重启之后会自动去读取该文件中的规则并重建防火墙。

changzi100

那就写在一个脚本里，然后保存。下以就执行这个脚本即可。