openstack环境里安装centos6.5系统的虚拟机,安装好后,发现没有/etc/syscofig/iptables防火墙配置文件。
解决办法如下:
[root@kvm-server005 ~]# iptables -P OUTPUT ACCEPT
[root@kvm-server005 ~]# /etc/init.d/iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
这样,/etc/sysconfig/iptables配置文件就有了
[root@kvm-server005 ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Wed Aug 31 01:14:57 2016
*filter
:INPUT ACCEPT [43:3196]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [23:2380]
COMMIT
# Completed on Wed Aug 31 01:14:57 2016
再补充点其他内容配置:
[root@kvm-server005 ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Wed Aug 31 01:14:57 2016
*filter
:INPUT ACCEPT [43:3196]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [23:2380]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Wed Aug 31 01:14:57 2016
[root@kvm-server005 ~]# /etc/init.d/iptables restart
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Flushing firewall rules: [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]
[root@kvm-server005 ~]#
===========================================================
对/etc/sysconfig/iptables文件的几条配置的简单解释:
:INPUT ACCEPT [0:0]
# 该规则表示INPUT表默认策略是ACCEPT
:FORWARD ACCEPT [0:0]
# 该规则表示FORWARD表默认策略是ACCEPT
:OUTPUT ACCEPT [0:0]
# 该规则表示OUTPUT表默认策略是ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# 意思是允许进入的数据包只能是刚刚我发出去的数据包的回应,ESTABLISHED:已建立的链接状态。RELATED:该数据包与本机发出的数据包有关。
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
# 这两条的意思是在INPUT表和FORWARD表中拒绝所有其他不符合上述任何一条规则的数据包。并且发送一条host prohibited的消息给被拒绝的主机。
注意,在做单纯的来源IP的白名单限制时,下面这两条策略不能注释!否则设置的白名单将无效!