http://www.zhanghaijun.com/index.php zh-cn http://www.zhanghaijun.com/post// 碟舞飞扬 <webmaster@zhanghaijun.com> Wed, 15 Jun 2011 18:37:54 +0000 http://www.zhanghaijun.com/post//
[root@localhost ~]# service iptables restart
Flushing firewall rules:  
                                 [  OK  ]
Setting chains to policy ACCEPT: filter                    [  OK  ]
Unloading iptables modules:                                [  OK  ]
Applying iptables firewall rules: iptables-restore: line 31 failed
                                                           [FAILED]
配置文件是:
[root@localhost ~]# vi /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 20 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 23 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5601 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5602 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
这个问题查了很久，后来  strace iptables-restore /etc/sysconfig/iptables 发现问题。
open("/lib/iptables/libipt_RH-Firewall-1-INPUT.so", O_RDONLY) = -1 ENOENT (No such file or directory)
这个libipt_RH-Firewall-1-INPUT.so我的2.6.25.2的内核没有编译出来(或者可能就没有)。
但是其实这个.so文件没有也可以正常工作的。后来我在H-Firewall-1-INPUT正常的CentOS5.1上也没看到这个.so文件。
RH-Firewall-1-INPUT是个自定义的子链。
可以通过
#iptables -N RH-Firewall-1-INPUT
#service iptables save
#service iptables restart
c)ip_conntrack_netbios_n
[root@localhost ~]# service iptables restart
Flushing firewall rules:                                   [  OK  ]
Setting chains to policy ACCEPT: filter                    [  OK  ]
Unloading iptables modules:                                [  OK  ]
Applying iptables firewall rules:                          [  OK  ]
Loading additional iptables modules: ip_conntrack_netbios_n[FAILED]
调试/etc/rc.d/init.d/iptables查找问题。
发现：
    # Load additional modules (helpers)
    if [ -n "$IPTABLES_MODULES" ]; then
        echo -n $"Loading additional $IPTABLES modules: "
        ret=0
        for mod in $IPTABLES_MODULES; do
            echo -n "$mod "
            modprobe $mod > /dev/null 2>&1
            let ret+=$?;
        done
        [ $ret -eq 0 ] && success || failure
        echo
    fi
    touch $VAR_SUBSYS_IPTABLES
    return $ret
        
modprobe ip_conntrack_netbios_ns > /dev/null 2>&1
而ip_conntrack_netbios_ns这个文件我没有的，奇怪的是IPTABLES_MODULES这个参数在/etc/rc.d/init.d/iptables我没有找到赋值的地方。原来是在/etc/sysconfig/iptables-config
注释掉。
IPTABLES_MODULES="ip_conntrack_netbios_ns"
好像是配置netbios穿越NAT用的,一般用不到的。
ip_conntrack_netbios_ns 这个模块在make menuconfig 中是IP_NF_NETBIOS_NS。
/etc/rc.d/init.d/iptables restart
[root@localhost ~]# /etc/rc.d/init.d/iptables restart
Flushing firewall rules:                                   [  OK  ]
Setting chains to policy ACCEPT: filter                    [  OK  ]
Unloading iptables modules:                                [  OK  ]
Applying iptables firewall rules:                          [  OK  ]
去掉脚本中的调试语句。OK
Tags - linux , iptables ]]> http://www.zhanghaijun.com/post//#blogcomment <user@domain.com> Thu, 01 Jan 1970 00:00:00 +0000 http://www.zhanghaijun.com/post//#blogcomment