
平臺(tái) 論壇博客文庫(kù)

› 論壇 › 程序設(shè)計(jì) › 內(nèi)核源碼 › iptables開(kāi)機(jī)規(guī)則恢復(fù)疑問(wèn)

最近訪問(wèn)板塊

查看: 1459 | 回復(fù): 2

[網(wǎng)絡(luò)子系統(tǒng)] iptables開(kāi)機(jī)規(guī)則恢復(fù)疑問(wèn) [復(fù)制鏈接]

linuxlearning4R

白手起家

論壇徽章:: 0

電梯直達(dá)

1樓 [收藏(0)] [報(bào)告]

發(fā)表于 2016-05-31 20:07 |只看該作者 |倒序?yàn)g覽

本帖最后由 linuxlearning4RMB 于 2016-05-31 20:09 編輯

iptables開(kāi)機(jī)規(guī)則恢復(fù)疑問(wèn)

第一步，清除所有的規(guī)則
  3 iptables -F
  4 iptables -X
  5 iptables -Z
  6 iptables -t nat -F
  7 iptables -t nat -X
  8 iptables -t nat -Z
  9 iptables -t mangle -F
10 iptables -t mangle -X
11 iptables -t mangle -Z

第二步，保存規(guī)則
service iptables save
實(shí)際上是保存到/etc/sysconfig/iptables

根據(jù)網(wǎng)上說(shuō)的，reboot以后機(jī)器會(huì) 自動(dòng) 通過(guò)iptables-restore把/etc/sysconfig/iptables恢復(fù)回去

/sbin/service iptables save
This executes the iptables init script, which runs the /sbin/iptables-save program and writes the current iptables configuration to /etc/sysconfig/iptables. The existing /etc/sysconfig/iptables file is saved as /etc/sysconfig/iptables.save.

The next time the system boots, the iptables init script reapplies the rules saved in /etc/sysconfig/iptables by using the /sbin/iptables-restore command.

但是，我重啟以后，實(shí)際上，機(jī)器并沒(méi)有恢復(fù)我們?cè)瓉?lái)保存的規(guī)則，而是出來(lái)一些很奇怪的規(guī)則：

[root@localhost ~]# iptables -vnL
Chain INPUT (policy ACCEPT 74 packets, 7368 bytes)
pkts bytes target    prot opt in    out    source             destination
0    0 ACCEPT    udp  --  virbr0 *    0.0.0.0/0          0.0.0.0/0          udp dpt:53
0    0 ACCEPT    tcp  --  virbr0 *    0.0.0.0/0          0.0.0.0/0          tcp dpt:53
0    0 ACCEPT    udp  --  virbr0 *    0.0.0.0/0          0.0.0.0/0          udp dpt:67
0    0 ACCEPT    tcp  --  virbr0 *    0.0.0.0/0          0.0.0.0/0          tcp dpt:67

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target    prot opt in    out    source             destination
0    0 ACCEPT    all  --  *    virbr0  0.0.0.0/0          192.168.122.0/24    ctstate RELATED,ESTABLISHED
0    0 ACCEPT    all  --  virbr0 *    192.168.122.0/24    0.0.0.0/0
0    0 ACCEPT    all  --  virbr0 virbr0  0.0.0.0/0          0.0.0.0/0
0    0 REJECT    all  --  *    virbr0  0.0.0.0/0          0.0.0.0/0          reject-with icmp-port-unreachable
0    0 REJECT    all  --  virbr0 *    0.0.0.0/0          0.0.0.0/0          reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 69 packets, 8540 bytes)
pkts bytes target    prot opt in    out    source             destination

請(qǐng)問(wèn)：
為什么reboot以后iptables不是空的（第一、第二步已經(jīng)清空保存了）？
virbr0這個(gè)網(wǎng)卡是怎么回事，實(shí)際上并沒(méi)有與之對(duì)應(yīng)的物理網(wǎng)卡？

附件：/etc/sysconfig/iptables文件內(nèi)容

[root@localhost ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.21 on Tue May 31 19:39:51 2016
*raw
REROUTING ACCEPT [2176:159300]
:OUTPUT ACCEPT [1836:159588]
COMMIT
# Completed on Tue May 31 19:39:51 2016
# Generated by iptables-save v1.4.21 on Tue May 31 19:39:51 2016
*nat
REROUTING ACCEPT [1:229]
:INPUT ACCEPT [1:229]
:OUTPUT ACCEPT [0:0]
OSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Tue May 31 19:39:51 2016
# Generated by iptables-save v1.4.21 on Tue May 31 19:39:51 2016
*mangle
REROUTING ACCEPT [170:11641]
:INPUT ACCEPT [170:11641]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [143:12692]
OSTROUTING ACCEPT [143:12692]
COMMIT
# Completed on Tue May 31 19:39:51 2016
# Generated by iptables-save v1.4.21 on Tue May 31 19:39:51 2016
*filter
:INPUT ACCEPT [170:11641]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [143:12692]
COMMIT
# Completed on Tue May 31 19:39:51 2016