iptables--持久性和netfilter--持久性不适用于UbuntuServer16.04.3 x86_64

Question

我安装了iptables-persistent和netfilter-persistent：

$ dpkg -l '*-persistent'
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                                         Version                      Architecture                Description
+++-============================================-===========================-===========================-==============================================================================================
ii  iptables-persistent                          1.0.4                       all                         boot-time loader for netfilter rules, iptables plugin
ii  netfilter-persistent                         1.0.4                       all                         boot-time loader for netfilter configuration

我还在/etc/iptables/rules.v4保存了规则(目前我只关心IPv4 )：

$ cat /etc/iptables/rules.v4
# Generated by iptables-save v1.6.0 on Fri Jan 19 09:49:17 2018
*security
:INPUT ACCEPT [11740:1271860]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [9784:2123999]
COMMIT
# Completed on Fri Jan 19 09:49:17 2018
# Generated by iptables-save v1.6.0 on Fri Jan 19 09:49:17 2018
*raw
:PREROUTING ACCEPT [18262:1677349]
:OUTPUT ACCEPT [9784:2123999]
COMMIT
# Completed on Fri Jan 19 09:49:17 2018
# Generated by iptables-save v1.6.0 on Fri Jan 19 09:49:17 2018
*nat
:PREROUTING ACCEPT [7367:452849]
:INPUT ACCEPT [872:48764]
:OUTPUT ACCEPT [500:37441]
:POSTROUTING ACCEPT [500:37441]
COMMIT
# Completed on Fri Jan 19 09:49:17 2018
# Generated by iptables-save v1.6.0 on Fri Jan 19 09:49:17 2018
*mangle
:PREROUTING ACCEPT [18262:1677349]
:INPUT ACCEPT [18259:1677229]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [9784:2123999]
:POSTROUTING ACCEPT [9784:2123999]
COMMIT
# Completed on Fri Jan 19 09:49:17 2018
# Generated by iptables-save v1.6.0 on Fri Jan 19 09:49:17 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m multiport --dports 25,587,465
-A INPUT -p tcp -m state --state NEW -m multiport --dports 110,995
-A INPUT -p tcp -m state --state NEW -m multiport --dports 143,993
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m multiport --dports 3721:3725 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -j DROP
-A FORWARD -j DROP
-A OUTPUT -j ACCEPT
COMMIT
# Completed on Fri Jan 19 09:49:17 2018

我真正感兴趣的规则是最后一条：

-A INPUT -p tcp -m state --state NEW -m multiport --dports 3721:3725 -j ACCEPT

但是，当我重新启动服务器时，我不明白这个规则：

$ sudo iptables -4 -L
[sudo] password for kal:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             127.0.0.0/8          reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
           tcp  --  anywhere             anywhere             state NEW multiport dports smtp,submission,urd
           tcp  --  anywhere             anywhere             state NEW multiport dports pop3,pop3s
           tcp  --  anywhere             anywhere             state NEW multiport dports imap2,imaps
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
LOG        all  --  anywhere             anywhere             limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain f2b-shadowsocks (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain f2b-sshd (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

还请注意，iptables有一些规则甚至在我安装iptables-persistent和netfilter-persistent之前就已经存在--例如，用于http、smtp、pop3、imap、ssh的规则。我不知道他们从哪里来。当然，我已经安装了openssh和nginx，并启用了它们的服务，但我从未为它们添加过iptables规则。

如果我查看journalctl的输出，netfilter-持久化服务确实成功地启动了：

$ sudo journalctl -xu netfilter-persistent.service
-- Logs begin at Fri 2018-01-19 18:55:13 HKT, end at Fri 2018-01-19 19:05:41 HKT. --
Jan 19 18:55:13 yuma systemd[1]: Starting netfilter persistent configuration...
-- Subject: Unit netfilter-persistent.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit netfilter-persistent.service has begun starting up.
Jan 19 18:55:13 yuma netfilter-persistent[1997]: run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables start
Jan 19 18:55:14 yuma netfilter-persistent[1997]: run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables start
Jan 19 18:55:14 yuma systemd[1]: Started netfilter persistent configuration.
-- Subject: Unit netfilter-persistent.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit netfilter-persistent.service has finished starting up.
--
-- The start-up result is done.

如果我在机器完全启动后重新启动 manually，我得到了我想要的规则：

$ sudo iptables -4 -L
[...]
ACCEPT     tcp  --  anywhere             anywhere             state NEW multiport dports 3721:3725
[...]

那么，为什么netfilter-persistent在引导时不工作呢？

是否有什么东西在netfilter-persistent之后完全覆盖iptable？

我能做些什么？

<#>更新我也没有ufw或firewalld。

Answer 1

因此，我的服务器有一个名为/etc/iptables.firewall.rules的文件，并且在/etc/network/if-pre-up.d/firewall中从它恢复了规则：

#!/bin/sh
/sbin/iptables-restore < /etc/iptables.firewall.rules

/etc/iptables.firewall.rules似乎是我在2015年创建的一个旧文件，它遵循了一个古老的教程，用于持久化iptables规则。

那么，我所要做的就是把我的新规则添加到那个文件中。

我想教训是，在检查了通常的ufw和iptables-persistent/netfilter-persistent内容之后，我应该只使用grep -rn iptables-restore /etc/。如果没有发现任何内容，那么如果启用了dbus，那么也有可能通过firewalld动态添加规则。

Answer 2

因此，使用netfilter显然是不够的--持久地将iptables的当前状态保存到/etc/iptables/rues.v4和.v6。您还必须安排它们在启动时重新加载。这意味着在启动时使netfilter持久化运行，如: systemctl启用netfilter-持久性。

这是来自：https://blog.sleeplessbeastie.eu/2018/09/10/how-to-make-iptables-configuration-persistent/

Answer 3

是netfilter-persistent save