linux防火墙相关

CentOS7 执行 service iptables save 报错 The service command supports only basic LSB actions xxxxxx

现象描述

在 CentOS 7.6.1810 下执行 service iptables save 命令,出现如下错误:

[root@test ~]# service iptables save
The service command supports only basic LSB actions (start, stop, restart, try-restart, reload, force-reload, status). For other actions, please try to use systemctl.

原因
从 CentOS 7.x 开始,CentOS 开始使用 systemd 服务来代替 daemon,原来管理系统启动和管理系统服务的相关命令全部由 systemctl 命令来代替。service 命令之保留了极少部分使用,大部分命令都要改用 systemctl 命令来使用。
在 RHEL 7 和 CentOS 7 中, firewalld 被引入来管理 iptables。

解决方案
首先停止防火墙:

systemctl stop firewalld
systemctl mask firewalld

在 CentOS 7 和 RHEL 7 中,没有 /etc/sysconfig/iptables 这个配置文件,也不能执行 service iptables restart 命令,需要通过安装 iptables-services 才有。

[root@test ~]# cat /etc/redhat-release 
CentOS Linux release 7.6.1810 (Core) 
[root@test ~]# rpm -qa|grep iptables
iptables-1.4.21-28.el7.x86_64
[root@test ~]# yum -y install iptables-services
  然后就可以使用 service  iptables [start | stop | restart | save ....] 命令。

这样就可以保存防火墙规则了

[root@test ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
[root@test ~]# ll /etc/sysconfig/iptables
-rw-------. 1 root root 6479 Nov  7 04:00 /etc/sysconfig/iptables

或者 使用如下命令

[root@test ~]# /usr/libexec/iptables/iptables.init save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]

延伸知识

  CentOS 7 中没有 service iptables save 指令来保存防火墙规则,怎么处理的呢?
   解决办法:
systemctl stop firewalld             # 关闭防火墙
yum -y install iptables-services     # 安装 iptables 服务
systemctl enable iptables            # 设置 iptables 服务开机启动
systemctl start iptables             # 启动 iptables 服务
service iptables save                # 保存 iptables 配置
service iptables restart             # 重启 iptables 服务
[root@test ~]# systemctl status iptables
● iptables.service - IPv4 firewall with iptables
   Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled)
   Active: active (exited) since Thu 2019-11-07 04:09:20 EST; 14s ago
  Process: 85040 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
 Main PID: 85040 (code=exited, status=0/SUCCESS)

Nov 07 04:09:20 test systemd[1]: Starting IPv4 firewall with iptables...
Nov 07 04:09:20 test iptables.init[85040]: iptables: Applying firewall rules: [  OK  ]
Nov 07 04:09:20 test systemd[1]: Started IPv4 firewall with iptables.
[root@test ~]# service iptables status
Redirecting to /bin/systemctl status iptables.service
● iptables.service - IPv4 firewall with iptables
   Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled)
   Active: active (exited) since Thu 2019-11-07 04:09:20 EST; 24s ago
  Process: 85040 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
 Main PID: 85040 (code=exited, status=0/SUCCESS)

Nov 07 04:09:20 test systemd[1]: Starting IPv4 firewall with iptables...
Nov 07 04:09:20 test iptables.init[85040]: iptables: Applying firewall rules: [  OK  ]
Nov 07 04:09:20 test systemd[1]: Started IPv4 firewall with iptables.

注意: firewalld 和 iptables 两种不同的防火墙规则的配置方式,不能同时启动。

示例1: 使用 systemctl start firewalld 启动的防火墙

[root@docker01 ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2019-11-07 04:20:58 EST; 2min 5s ago
     Docs: man:firewalld(1)
 Main PID: 86122 (firewalld)
    Tasks: 2
   Memory: 21.6M
   CGroup: /system.slice/firewalld.service
           └─86122 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Nov 07 04:21:00 docker01 firewalld[86122]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -i docker0 ! -o docker0 -j ACCEPT' failed...t chain?).
Nov 07 04:21:00 docker01 firewalld[86122]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C PREROUTING -m addrtype --dst-type LOCAL -j DOCKER' f...that name.
Nov 07 04:21:00 docker01 firewalld[86122]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C OUTPUT -m addrtype --dst-type LOCAL -j DOCKER ! --ds...that name.
Nov 07 04:21:00 docker01 firewalld[86122]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -o docker0 -j DOCKER' failed: iptables: N...that name.
Nov 07 04:21:00 docker01 firewalld[86122]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -o docker0 -m conntrack --ctstate RELATED...t chain?).
Nov 07 04:21:00 docker01 firewalld[86122]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -j DOCKER-ISOLATION-STAGE-1' failed: ipta...that name.
Nov 07 04:21:00 docker01 firewalld[86122]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Ba...t chain?).
Nov 07 04:21:00 docker01 firewalld[86122]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -n -L DOCKER-USER' failed: iptables: No chain/target...that name.
Nov 07 04:21:00 docker01 firewalld[86122]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C DOCKER-USER -j RETURN' failed: iptables: Bad rule...t chain?).
Nov 07 04:21:01 docker01 firewalld[86122]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -j DOCKER-USER' failed: iptables: No chai...that name.
Hint: Some lines were ellipsized, use -l to show in full.
[root@docker01 ~]# service iptables status
Redirecting to /bin/systemctl status iptables.service
● iptables.service - IPv4 firewall with iptables
   Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled)
   Active: inactive (dead) since Thu 2019-11-07 04:20:57 EST; 3min 23s ago
  Process: 86123 ExecStop=/usr/libexec/iptables/iptables.init stop (code=exited, status=0/SUCCESS)
  Process: 85907 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
 Main PID: 85907 (code=exited, status=0/SUCCESS)

Nov 07 04:18:38 docker01 systemd[1]: Starting IPv4 firewall with iptables...
Nov 07 04:18:38 docker01 systemd[1]: Started IPv4 firewall with iptables.
Nov 07 04:20:57 docker01 systemd[1]: Stopping IPv4 firewall with iptables...
Nov 07 04:20:57 docker01 iptables.init[86123]: iptables: Setting chains to policy ACCEPT: filter [  OK  ]
Nov 07 04:20:57 docker01 iptables.init[86123]: iptables: Flushing firewall rules: [  OK  ]
Nov 07 04:20:57 docker01 systemd[1]: Stopped IPv4 firewall with iptables.

示例2: 使用 service iptables start 启动的防火墙

[root@docker01 ~]# service iptables start
Redirecting to /bin/systemctl start iptables.service
[root@docker01 ~]# service iptables status
Redirecting to /bin/systemctl status iptables.service
● iptables.service - IPv4 firewall with iptables
   Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled)
   Active: active (exited) since Thu 2019-11-07 04:31:00 EST; 5s ago
  Process: 87000 ExecStop=/usr/libexec/iptables/iptables.init stop (code=exited, status=0/SUCCESS)
  Process: 87101 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
 Main PID: 87101 (code=exited, status=0/SUCCESS)

Nov 07 04:31:00 docker01 systemd[1]: Starting IPv4 firewall with iptables...
Nov 07 04:31:00 docker01 iptables.init[87101]: iptables: Applying firewall rules: [  OK  ]
Nov 07 04:31:00 docker01 systemd[1]: Started IPv4 firewall with iptables.
[root@docker01 ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: inactive (dead) since Thu 2019-11-07 04:29:12 EST; 2min 7s ago
     Docs: man:firewalld(1)
  Process: 86122 ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS (code=exited, status=0/SUCCESS)
 Main PID: 86122 (code=exited, status=0/SUCCESS)

Nov 07 04:21:00 docker01 firewalld[86122]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C OUTPUT -m addrtype --dst-type LOCAL -j DOCKER ! --ds...that name.
Nov 07 04:21:00 docker01 firewalld[86122]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -o docker0 -j DOCKER' failed: iptables: N...that name.
Nov 07 04:21:00 docker01 firewalld[86122]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -o docker0 -m conntrack --ctstate RELATED...t chain?).
Nov 07 04:21:00 docker01 firewalld[86122]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -j DOCKER-ISOLATION-STAGE-1' failed: ipta...that name.
Nov 07 04:21:00 docker01 firewalld[86122]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Ba...t chain?).
Nov 07 04:21:00 docker01 firewalld[86122]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -n -L DOCKER-USER' failed: iptables: No chain/target...that name.
Nov 07 04:21:00 docker01 firewalld[86122]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C DOCKER-USER -j RETURN' failed: iptables: Bad rule...t chain?).
Nov 07 04:21:01 docker01 firewalld[86122]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -j DOCKER-USER' failed: iptables: No chai...that name.
Nov 07 04:29:11 docker01 systemd[1]: Stopping firewalld - dynamic firewall daemon...
Nov 07 04:29:12 docker01 systemd[1]: Stopped firewalld - dynamic firewall daemon.
Hint: Some lines were ellipsized, use -l to show in full.
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值