重新启动后CentOS 7 iptables不再持久

我在开发服务器上安装了最低版本的CentOS 7，以使用kvm / qemu虚拟化一些linux guest虚拟机。

要使用iptables代替firewalld我安装iptables-service并执行：

systemctl stop firewalld
systemctl mask firewalld
systemctl enable iptables
systemctl start iptables

SELinux已通过编辑禁用/etc/sysconfig/selinux。

我对iptables的规则如下：

iptables -Z
iptables -F
iptables -X
iptables -t nat -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -A POSTROUTING -o enp6s0 -j MASQUERADE
iptables -A FORWARD -i enp6s0 -o virbr0 -j ACCEPT

现在，我使用以下命令保存设置：

iptables-save > /etc/sysconfig/iptables

我的iptables-file相貌：

# Generated by iptables-save v1.4.21 on Thu Aug 20 10:46:40 2015
*mangle
:PREROUTING ACCEPT [16736:10889078]
:INPUT ACCEPT [1063:106860]
:FORWARD ACCEPT [15679:10784186]
:OUTPUT ACCEPT [570:71275]
:POSTROUTING ACCEPT [15728:10809742]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Thu Aug 20 10:46:40 2015
# Generated by iptables-save v1.4.21 on Thu Aug 20 10:46:40 2015
*filter
:INPUT ACCEPT [868:81772]
:FORWARD ACCEPT [8328:7311589]
:OUTPUT ACCEPT [233:32016]
-A FORWARD -i enp6s0 -o virbr0 -j ACCEPT
COMMIT
# Completed on Thu Aug 20 10:46:40 2015
# Generated by iptables-save v1.4.21 on Thu Aug 20 10:46:40 2015
*nat
:PREROUTING ACCEPT [1308:86998]
:INPUT ACCEPT [77:12475]
:OUTPUT ACCEPT [1:72]
:POSTROUTING ACCEPT [1228:74319]
-A POSTROUTING -o enp6s0 -j MASQUERADE
COMMIT
# Completed on Thu Aug 20 10:46:40 2015

快速检查一下我的规则目前是否正确：

[root@dev1 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination 

但是重启服务器后，iptables规则如下所示：

[root@dev1 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             10.0.1.0/24          ctstate RELATED,ESTABLISHED
ACCEPT     all  --  10.0.1.0/24          anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc

我不明白其他规则的来源。

调用时iptables-restore -c /etc/sysconfig/iptables，将显示预期的规则。

似乎在启动时未加载已保存的规则，或者未刷新“默认”规则或执行任何其他操作。

这里有什么问题 ？？？我正在慢慢变白发...

感谢您的快速回复:)

如上所述，我安装了iptables-services：

[root@dev1 ~]# rpm -aq iptables-services
iptables-services-1.4.21-13.el7.x86_64

启用服务systemctl enable iptables.service而不是使用systemctl enable iptables似乎没有什么区别，因为链接了相同的服务文件：

[root@dev1 ~]# systemctl disable iptables
rm '/etc/systemd/system/basic.target.wants/iptables.service'
[root@dev1 ~]# systemctl enable iptables.service
ln -s '/usr/lib/systemd/system/iptables.service' '/etc/systemd/system/basic.target.wants/iptables.service'

这是调用后iptables文件的内容 /usr/libexec/iptables/iptables.init save

[root@develcluster1 ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.21 on Fri Aug 21 14:34:04 2015
*nat
:PREROUTING ACCEPT [351490:22546787]
:INPUT ACCEPT [15751:2400243]
:OUTPUT ACCEPT [324:21186]
:POSTROUTING ACCEPT [304860:18293418]
-A POSTROUTING -o enp6s0 -j MASQUERADE
COMMIT
# Completed on Fri Aug 21 14:34:04 2015
# Generated by iptables-save v1.4.21 on Fri Aug 21 14:34:04 2015
*filter
:INPUT ACCEPT [505048:69178501]
:FORWARD ACCEPT [55815086:22035726185]
:OUTPUT ACCEPT [325986:56595531]
-A FORWARD -i enp6s0 -o virbr0 -j ACCEPT
COMMIT
# Completed on Fri Aug 21 14:34:04 2015
# Generated by iptables-save v1.4.21 on Fri Aug 21 14:34:04 2015
*mangle
:PREROUTING ACCEPT [109215513:66867793592]
:INPUT ACCEPT [505243:69203589]
:FORWARD ACCEPT [108710264:66798590873]
:OUTPUT ACCEPT [326323:56634790]
:POSTROUTING ACCEPT [109036066:66855179944]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Fri Aug 21 14:34:04 2015

重新启动后，呼叫iptables -L不显示我保存的规则：

[root@dev1 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             10.0.1.0/24          ctstate RELATED,ESTABLISHED
ACCEPT     all  --  10.0.1.0/24          anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc

也许我在做一些根本性的错误。但是我阅读的每个线程都以相同的方式执行此操作，并且应该可以正常工作。

如果您需要更多信息，请告诉我。

同时，我通过调用每次重新启动后都必须调用的小脚本来帮助我。

#!/bin/sh

iptables -Z
iptables -F
iptables -X
iptables -t nat -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -A POSTROUTING -o enp6s0 -j MASQUERADE
iptables -A FORWARD -i enp6s0 -o virbr0 -j ACCEPT

iptables --flush
iptables-restore -c /etc/sysconfig/iptables

多数民众赞成在不是性感，但到目前为止。但这不是最终的解决方案。

我认为您需要启用以下服务：

systemctl enable iptables.service

并且您需要运行iptables init脚本来保存规则，如下所示：

/usr/libexec/iptables/iptables.init save

确保已安装iptables-services软件包：

rpm -aq iptables-services

如果没有安装：

yum install iptables-services

然后，您可以像使用CentOS的早期版本一样，使用service命令对其进行控制：

service iptables save

的save，stop，start，restart命令将所有的工作，它应该在引导加载。

我通过添加附加到底部/etc/rc.d/rc.local的'service iptables stop \ iptables --flush'命令来解决此问题

我的环境是Centos 7 KVM，我的问题是libvirt将在重新启动时重新填充iptables-阻止对我的虚拟机的访问。

如果我没记错的话，其中一种虚拟化服务（您似乎正在运行其中一种，从virbr0接口名称来看）正在添加一些防火墙规则本身，以适应已配置的虚拟网络和接口。请查看此区域（libvirt-daemon可能是一个很好的起点）。

但是，我不知道它似乎覆盖了您的规则是错误还是功能。RedHat似乎非常专注firewalld于RHEL中的防火墙解决方案（这也直接适用于CentOS），并且它们可能不支持使用firewalld替代方案正确运行其虚拟化解决方案。

尝试这个：

systemctl stop firewalld
systemctl disable firewalld
systemctl mask --now firewalld
yum -y remove iptables-services
yum -y install iptables-services
systemctl start iptables
systemctl status iptables

echo '# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT' > /etc/sysconfig/iptables

现在在这里执行您的iptables规则

iptables-save > /etc/sysconfig/iptables
iptables-restore < /etc/sysconfig/iptables
systemctl restart iptables
systemctl restart iptables
systemctl enable iptables.service