平台:RK3568 Debian10系统
问题:1、iptables无法使用; 2、iptables -L没作用
iptsbles:iptables(网络 过滤器)是一个工作于用户空间的防火墙应用软件,是与 3.5 版本 Linux 内核集成的 IP 信息包过滤系统。如果 Linux 系统连接到因特网或 LAN、服务器或连接 LAN 和因特网的代理服务器,则该系统有利于在 Linux 系统上更好地控制 IP 信息包过滤和防火墙配置。
问题一:输入iptables --help会报错
root@linaro-alip:~# iptables --help
iptables/1.8.2 Failed to initialize nft: Protocol not supported
原因:Debian10的 iptables 默认是使用 nf_tables,而系统中并没有支持nf_tables。
办法:在kernel/arch/arm64/configs/rockchip_linux_defconfig添加
CONFIG_NF_TABLES=y
加完编kernel升级一下就可以了
root@linaro-alip:~# iptables
iptables v1.8.2 (nf_tables): no command specified
Try `iptables -h' or 'iptables --help' for more information.
root@linaro-alip:~# iptables --help
iptables v1.8.2
Usage: iptables -[ACD] chain rule-specification [options]
iptables -I chain [rulenum] rule-specification [options]
iptables -R chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LS] [chain [rulenum]] [options]
iptables -[FZ] [chain] [options]
iptables -[NX] chain
iptables -E old-chain-name new-chain-name
iptables -P chain target [options]
iptables -h (print this help information)
Commands:
Either long or short options are allowed.
--append -A chain Append to chain
--check -C chain Check for the existence of a rule
--delete -D chain Delete matching rule from chain
--delete -D chain rulenum
Delete rule rulenum (1 = first) from chain
--insert -I chain [rulenum]
Insert in chain as rulenum (default 1=first)
--replace -R chain rulenum
Replace rule rulenum (1 = first) in chain
--list -L [chain [rulenum]]
问题二:使用iptables -L来列出系统防火墙规则,出现报错
root@linaro-alip:~# iptables -L
iptables v1.8.2 (nf_tables): CHAIN_ADD failed (Operation not supported): chain INPUT
原因:Debian buster使用 nftables 而不是 iptables
方法:调用update-alternatives
强制Debian10用iptables而不是nftables
sudo update-alternatives --set iptables /usr/sbin/iptables-legacy
解决这个问题以后iptables -L依旧不行,还是报错
root@linaro-alip:~# iptables -L
iptables v1.8.2 (legacy): can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
目测应该是缺了个内核模块(iptable_filter)导致这个filter表出不来,去源码翻了一下,不小心看见了一个kernel\net\ipv4\netfilter\iptable_filter.c(其实是拿grep去kernel底下搜),一看没有编,估计就是少了这个模块。
办法:在kernel/arch/arm64/configs/rockchip_linux_defconfig把宏加上
CONFIG_IP_NF_FILTER=y
一般来说RK源码kernel里面有的C文件想编进去打开对应的宏就行了,kconfig里面说已经写好的,保险起见可以检查一下kernel\net\ipv4\netfilter\kconfig,当然,Makefile同理。
++ kernel\net\ipv4\netfilter\kconfig
config IP_NF_FILTER
tristate "Packet filtering"
default m if NETFILTER_ADVANCED=n
help
Packet filtering defines a table `filter', which has a series of
rules for simple packet filtering at local input, forwarding and
local output. See the man page for iptables(8).
To compile it as a module, choose M here. If unsure, say N.
改完把.o文件编出来烧一下kernel就好了
root@linaro-alip:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
参考文章:RK3568 debian系统iptables命令报错_iptables/1.8.2 failed to initialize nft: protocol -CSDN博客
iptables v1.8.2 (nf_tables): CHAIN_ADD failed (No such file or directory): chain PREROUTING-CSDN博客