iptables我的目標是在啟動時載入一組規則。我運行的是 Ubuntu 20.04.1。
我有一組iptables在 中定義的規則/etc/iptables/rules.v4。我已經iptables-persistent安裝netfilter-persistent了。後者是啟用的systemd服務,並且在重新啟動後成功運行,如圖systemctl status netfilter-persistent所示,但中定義的規則/etc/iptables/rules.v4是不是重新啟動後應用。
至關重要的是:手動重新啟動服務 ( systemctl restart netfilter-persistent) 會導致規則被載入。服務有效且規則有效。就好像在netfilter-persistent運行和退出後出現了其他一些服務,從而消除了規則。
有人有什麼想法嗎?我不知道如何繼續,因為似乎沒有其他人遇到這個問題。
如果任何其他詳細資訊有幫助,請告訴我。我感覺自己好像失去理智了。
編輯:其內容/etc/iptables/rules.v4為:
*nat
:PREROUTING ACCEPT [29:8848]
:INPUT ACCEPT [29:8848]
:OUTPUT ACCEPT [6720:404317]
:POSTROUTING ACCEPT [96:8382]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -o enp39s0 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
COMMIT
*filter
:INPUT ACCEPT [9418:3194873]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [17003:1327822]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
COMMIT
開機後iptables --list -v返回:
Chain INPUT (policy ACCEPT 5587 packets, 1329K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER-USER all -- any any anywhere anywhere
0 0 DOCKER-ISOLATION-STAGE-1 all -- any any anywhere anywhere
0 0 ACCEPT all -- any docker0 anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- any docker0 anywhere anywhere
0 0 ACCEPT all -- docker0 !docker0 anywhere anywhere
0 0 ACCEPT all -- docker0 docker0 anywhere anywhere
0 0 ACCEPT all -- wg0 any anywhere anywhere
Chain OUTPUT (policy ACCEPT 6845 packets, 956K bytes)
pkts bytes target prot opt in out source destination
Chain DOCKER (1 references)
pkts bytes target prot opt in out source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 anywhere anywhere
0 0 RETURN all -- any any anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any docker0 anywhere anywhere
0 0 RETURN all -- any any anywhere anywhere
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- any any anywhere anywhere
請特別注意,FORWARD 策略是 DROP,而不是 ACCEPT,並且wg0添加了 WireGuard ( ) 規則。