centos 7中有iptables内核模块
需要安装管理的配置文件
yum install -y iptables-services
[root@xfirewall ~]# rpm -ql iptables-services
/etc/sysconfig/ip6tables
/etc/sysconfig/iptables
/usr/lib/systemd/system/ip6tables.service
/usr/lib/systemd/system/iptables.service
/usr/libexec/initscripts/legacy-actions/ip6tables
/usr/libexec/initscripts/legacy-actions/ip6tables/panic
/usr/libexec/initscripts/legacy-actions/ip6tables/save
/usr/libexec/initscripts/legacy-actions/iptables
/usr/libexec/initscripts/legacy-actions/iptables/panic
/usr/libexec/initscripts/legacy-actions/iptables/save
/usr/libexec/iptables
/usr/libexec/iptables/ip6tables.init
/usr/libexec/iptables/iptables.init
检查内核是否加载iptable相关模块
[root@xfirewall ~]# lsmod | grep filter
ip6t_rpfilter 12595 1
ebtable_filter 12827 1
ebtables 35009 3 ebtable_broute,ebtable_nat,ebtable_filter
ip6table_filter 12815 1
ip6_tables 26912 5 ip6table_filter,ip6table_mangle,ip6table_security,ip6table_nat,ip6table_raw
iptable_filter 12810 1
ip_tables 27126 5 iptable_security,iptable_filter,iptable_mangle,iptable_nat,iptable_raw
如果没有加载模块
则需要
cat >>/etc/rc.local<<EOF
modprobe ip_tables
modprobe iptable_filter
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ipt_stat
EOF
[root@xfirewall ~]# lsmod | egrep 'filter|nat|ipt'
ip6t_rpfilter 12595 1
ipt_REJECT 12541 2
nf_reject_ipv4 13373 1 ipt_REJECT
ebtable_nat 12807 1
ip6table_nat 12864 1
nf_nat_ipv6 14131 1 ip6table_nat
iptable_nat 12875 1
nf_nat_ipv4 14115 1 iptable_nat
nf_nat 26583 2 nf_nat_ipv4,nf_nat_ipv6
iptable_mangle 12695 1
iptable_security 12705 1
iptable_raw 12678 1
nf_conntrack 139264 6 nf_nat,nf_nat_ipv4,nf_nat_ipv6,xt_conntrack,nf_conntrack_ipv4,nf_conntrack_ipv6
ebtable_filter 12827 1
ebtables 35009 3 ebtable_broute,ebtable_nat,ebtable_filter
ip6table_filter 12815 1
ip6_tables 26912 5 ip6table_filter,ip6table_mangle,ip6table_security,ip6table_nat,ip6table_raw
iptable_filter 12810 1
ip_tables 27126 5 iptable_security,iptable_filter,iptable_mangle,iptable_nat,iptable_raw
libcrc32c 12644 3 xfs,nf_nat,nf_conntrack
如果是1,则说明IP转发功能已经打开
vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
sysctl -p
[root@xfirewall ~]# systemctl stop firewalld.service
[root@xfirewall ~]# systemctl disable firewalld.service
关闭seliux
[root@xfirewall ~]# setenforce 0
[root@xfirewall ~]# sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
[root@xfirewall ~]# systemctl start iptables.service
[root@xfirewall ~]# systemctl enable iptables.service
iptables -nL
查看规则