在我的CentOS服务器中,无法更新iptables

・3 分钟阅读

问题

当试图在CentOS中更新iptables时,我收到了一个错误:


Another app is currently holding the xtables lock. Perhaps you want to use the -w option?



"-w"选项真的有效? 在下面的脚本中,我可以添加它?


#!/bin/bash


# Purpose: Block all traffic from AFGHANISTAN (af) and CHINA (CN). Use ISO code. #


# See url for more info - http://www.cyberciti.biz/faq/?p=3402


# Author: nixCraft <www.cyberciti.biz> under GPL v.2.0+


# Páginas de IP's por país: http://www.ipdeny.com/ipblocks/


# -------------------------------------------------------------------------------


ISO="in af ru pl lt vn gb" 



### Set PATH ###


IPT=/sbin/iptables


WGET=/usr/bin/wget


EGREP=/bin/egrep



### No editing below ###


SPAMLIST="countrydrop"


ZONEROOT="/root/iptables"


DLROOT="http://www.ipdeny.com/ipblocks/data/countries"



cleanOldRules(){


$IPT -F


$IPT -X


$IPT -t nat -F


$IPT -t nat -X


$IPT -t mangle -F


$IPT -t mangle -X


$IPT -P INPUT ACCEPT


$IPT -P OUTPUT ACCEPT


$IPT -P FORWARD ACCEPT


}



# create a dir


[ ! -d $ZONEROOT ] && /bin/mkdir -p $ZONEROOT



# clean old rules


cleanOldRules



# create a new iptables list


$IPT -N $SPAMLIST



for c in $ISO


do 


 # local zone file


 tDB=$ZONEROOT/$c.zone



 # get fresh zone file


 $WGET -O $tDB $DLROOT/$c.zone



 # country specific log message


 SPAMDROPMSG="$c Country Drop"



 # get 


 BADIPS=$(egrep -v"^#|^$" $tDB)


 for ipblock in $BADIPS


 do


 $IPT -A $SPAMLIST -s $ipblock -j LOG --log-prefix"$SPAMDROPMSG"


 $IPT -A $SPAMLIST -s $ipblock -j DROP


 done


done



# Drop everything 


$IPT -I INPUT -j $SPAMLIST


$IPT -I OUTPUT -j $SPAMLIST


$IPT -I FORWARD -j $SPAMLIST



# call your other iptable script


# /path/to/other/iptables.sh



exit 0




回答 1

"-w"选项真的有效?

可能:man iptables :


 -w, --wait


 Wait for the xtables lock. To prevent multiple instances of the program from running concurrently, an attempt will be made to


 obtain an exclusive lock at launch. By default, the program will exit if the lock cannot be obtained. This option will make the


 program wait until the exclusive lock can be obtained.) 



在下面的脚本中,我可以添加它?

对iptables命令的定义


IPT="/sbin/iptables -w"




回答 2

选项-w只允许iptables等待锁定直到超时,但是,它不是解决方案。

可能是其他脚本尝试同时更新你的iptables规则集。

你可以使用ipset以更优雅和简单的方式实现防火墙规则集,还可以提高性能,因为规则越少意味着性能越高。


Xuanlv profile image