centos6.5虛擬機安裝後，沒有iptables配置文件

 

openstack環境裏安裝centos6.5系統的虛擬機，安裝好後，發現沒有/etc/syscofig/iptables防火牆配置文件。

解決辦法以下：

[root@kvm-server005 ~]# iptables -P OUTPUT ACCEPT
[root@kvm-server005 ~]# /etc/init.d/iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]

這樣，/etc/sysconfig/iptables配置文件就有了
[root@kvm-server005 ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Wed Aug 31 01:14:57 2016
*filter
:INPUT ACCEPT [43:3196]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [23:2380]
COMMIT
# Completed on Wed Aug 31 01:14:57 2016

再補充點其餘內容配置：
[root@kvm-server005 ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Wed Aug 31 01:14:57 2016
*filter
:INPUT ACCEPT [43:3196]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [23:2380]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Wed Aug 31 01:14:57 2016
[root@kvm-server005 ~]# /etc/init.d/iptables restart
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Flushing firewall rules: [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]
[root@kvm-server005 ~]#

===========================================================
對/etc/sysconfig/iptables文件的幾條配置的簡單解釋：
:INPUT ACCEPT [0:0]
# 該規則表示INPUT表默認策略是ACCEPT

:FORWARD ACCEPT [0:0]
# 該規則表示FORWARD表默認策略是ACCEPT

:OUTPUT ACCEPT [0:0]
# 該規則表示OUTPUT表默認策略是ACCEPT

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# 意思是容許進入的數據包只能是剛剛我發出去的數據包的迴應，ESTABLISHED：已創建的連接狀態。RELATED：該數據包與本機發出的數據包有關。

-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
# 這兩條的意思是在INPUT表和FORWARD表中拒絕全部其餘不符合上述任何一條規則的數據包。而且發送一條host prohibited的消息給被拒絕的主機。
注意，在作單純的來源IP的白名單限制時，下面這兩條策略不能註釋！不然設置的白名單將無效！