用这个/ etc / sysconfig / iptables:
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j ACCEPT -s 192.168.3.0/24 -d 10.0.0.0/24 -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT 我的FORWARD链看起来像这样:
Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- 192.168.3.0/24 10.0.0.0/24
现在,当我启动libvirtd FORWARD链看起来像这样:
Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere 10.0.0.0/24 ctstate RELATED,ESTABLISHED ACCEPT all -- 10.0.0.0/24 anywhere ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-port-unreachable ACCEPT all -- 192.168.3.0/24 10.0.0.0/24
正如你可以看到我的规则192.168.3.0/24后去了拒绝。
如何将规则192.168.3.0/24放在REJECT之前?
-A用于Append, -I用于插入规则列表的开头
我终于用了一个libvirtnetworking脚本钩子来解决我的问题: libvirt脚本钩子
# cat /etc/libvirt/hooks/network #!/bin/bash NAME=$1 TASK=$2 IPTABLES=/usr/sbin/iptables if [ $NAME = "default" ] ;then case "$TASK" in # hook is called with <network_name> started begin - started) $IPTABLES -I FORWARD -s 192.168.3.0/24 -d 10.0.0.0/24 -j ACCEPT ;; # hook is called with <network_name> stopped end - stopped) $IPTABLES -D FORWARD -s 192.168.3.0/24 -d 10.0.0.0/24 -j ACCEPT ;; *) echo "qemu hook called with unexpected options $*" >&2 ;; esac fi
现在我的规则首先出现。 我最喜欢的方式是通过这个: libvirt nwfilter但是我不能得到它的工作。