centos6.5虚拟机安装后，没有iptables配置文件

 

openstack环境里安装centos6.5系统的虚拟机，安装好后，发现没有/etc/syscofig/iptables防火墙配置文件。

解决办法以下：

[root@kvm-server005 ~]# iptables -P OUTPUT ACCEPT
[root@kvm-server005 ~]# /etc/init.d/iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]

这样，/etc/sysconfig/iptables配置文件就有了
[root@kvm-server005 ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Wed Aug 31 01:14:57 2016
*filter
:INPUT ACCEPT [43:3196]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [23:2380]
COMMIT
# Completed on Wed Aug 31 01:14:57 2016

再补充点其余内容配置：
[root@kvm-server005 ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Wed Aug 31 01:14:57 2016
*filter
:INPUT ACCEPT [43:3196]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [23:2380]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Wed Aug 31 01:14:57 2016
[root@kvm-server005 ~]# /etc/init.d/iptables restart
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Flushing firewall rules: [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]
[root@kvm-server005 ~]#

===========================================================
对/etc/sysconfig/iptables文件的几条配置的简单解释：
:INPUT ACCEPT [0:0]
# 该规则表示INPUT表默认策略是ACCEPT

:FORWARD ACCEPT [0:0]
# 该规则表示FORWARD表默认策略是ACCEPT

:OUTPUT ACCEPT [0:0]
# 该规则表示OUTPUT表默认策略是ACCEPT

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# 意思是容许进入的数据包只能是刚刚我发出去的数据包的回应，ESTABLISHED：已创建的连接状态。RELATED：该数据包与本机发出的数据包有关。

-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
# 这两条的意思是在INPUT表和FORWARD表中拒绝全部其余不符合上述任何一条规则的数据包。而且发送一条host prohibited的消息给被拒绝的主机。
注意，在作单纯的来源IP的白名单限制时，下面这两条策略不能注释！不然设置的白名单将无效！