Iptables-persistent Dan Netfilter-persistent Sebenarnya Tidak Bekerja Di Server Ubuntu 16.04.3 X86_64?

Saya memiliki iptables-persistent dan netfilter-persistent terpasang:

$ dpkg -l '*-persistent'
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                                         Version                      Architecture                Description
+++-============================================-===========================-===========================-==============================================================================================
ii  iptables-persistent                          1.0.4                       all                         boot-time loader for netfilter rules, iptables plugin
ii  netfilter-persistent                         1.0.4                       all                         boot-time loader for netfilter configuration

Saya juga memiliki aturan yang disimpan di /etc/iptables/rules.v4 (Saya hanya peduli tentang IPv4 untuk saat ini):

$ cat /etc/iptables/rules.v4
# Generated by iptables-save v1.6.0 on Fri Jan 19 09:49:17 2018
*security
:INPUT ACCEPT [11740:1271860]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [9784:2123999]
COMMIT
# Completed on Fri Jan 19 09:49:17 2018
# Generated by iptables-save v1.6.0 on Fri Jan 19 09:49:17 2018
*raw
:PREROUTING ACCEPT [18262:1677349]
:OUTPUT ACCEPT [9784:2123999]
COMMIT
# Completed on Fri Jan 19 09:49:17 2018
# Generated by iptables-save v1.6.0 on Fri Jan 19 09:49:17 2018
*nat
:PREROUTING ACCEPT [7367:452849]
:INPUT ACCEPT [872:48764]
:OUTPUT ACCEPT [500:37441]
:POSTROUTING ACCEPT [500:37441]
COMMIT
# Completed on Fri Jan 19 09:49:17 2018
# Generated by iptables-save v1.6.0 on Fri Jan 19 09:49:17 2018
*mangle
:PREROUTING ACCEPT [18262:1677349]
:INPUT ACCEPT [18259:1677229]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [9784:2123999]
:POSTROUTING ACCEPT [9784:2123999]
COMMIT
# Completed on Fri Jan 19 09:49:17 2018
# Generated by iptables-save v1.6.0 on Fri Jan 19 09:49:17 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m multiport --dports 25,587,465
-A INPUT -p tcp -m state --state NEW -m multiport --dports 110,995
-A INPUT -p tcp -m state --state NEW -m multiport --dports 143,993
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m multiport --dports 3721:3725 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -j DROP
-A FORWARD -j DROP
-A OUTPUT -j ACCEPT
COMMIT
# Completed on Fri Jan 19 09:49:17 2018

Aturan yang sangat saya minati adalah aturan menjelang akhir:

-A INPUT -p tcp -m state --state NEW -m multiport --dports 3721:3725 -j ACCEPT

Namun, ketika saya me-reboot server, saya tidak mendapatkan aturan itu:

$ sudo iptables -4 -L
[sudo] password for kal:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             127.0.0.0/8          reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
           tcp  --  anywhere             anywhere             state NEW multiport dports smtp,submission,urd
           tcp  --  anywhere             anywhere             state NEW multiport dports pop3,pop3s
           tcp  --  anywhere             anywhere             state NEW multiport dports imap2,imaps
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
LOG        all  --  anywhere             anywhere             limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain f2b-shadowsocks (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain f2b-sshd (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Perhatikan juga bahwa iptables memiliki beberapa aturan yang ada bahkan sebelum saya menginstal iptables-persistent dan netfilter-persistent - misalnya yang untuk http, smtp, pop3, imap, ssh. Saya tidak tahu dari mana mereka berasal. Tentu, saya telah menginstal openssh dan nginx dan layanan mereka diaktifkan, tetapi saya sendiri tidak pernah menambahkan aturan iptables untuk mereka.

Terkait:Bagaimana Anda menyiarkan berbagi jaringan (ftp/sftp/webdav) sehingga muncul di nautilus untuk pengguna lain?

Jika saya melihat output dari journalctl, netfilter-persistent.service berhasil memulai:

$ sudo journalctl -xu netfilter-persistent.service
-- Logs begin at Fri 2018-01-19 18:55:13 HKT, end at Fri 2018-01-19 19:05:41 HKT. --
Jan 19 18:55:13 yuma systemd[1]: Starting netfilter persistent configuration...
-- Subject: Unit netfilter-persistent.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit netfilter-persistent.service has begun starting up.
Jan 19 18:55:13 yuma netfilter-persistent[1997]: run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables start
Jan 19 18:55:14 yuma netfilter-persistent[1997]: run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables start
Jan 19 18:55:14 yuma systemd[1]: Started netfilter persistent configuration.
-- Subject: Unit netfilter-persistent.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit netfilter-persistent.service has finished starting up.
--
-- The start-up result is done.

Jika saya memulai ulang secara manual netfilter-persistent.service setelah mesin benar-benar boot, saya mendapatkan aturan yang saya inginkan:

$ sudo iptables -4 -L
[...]
ACCEPT     tcp  --  anywhere             anywhere             state NEW multiport dports 3721:3725
[...]

Jadi mengapa tidak netfilter-persistent benar-benar berfungsi saat boot?

Apakah sesuatu yang sepenuhnya menimpa iptables setelah netfilter-persistent ?

Apa yang bisa saya lakukan?

PERBARUI
Saya juga tidak punya ufw atau firewalld .

Jawaban yang Diterima:

Jadi ternyata server saya memiliki file bernama /etc/iptables.firewall.rules , dan aturan sedang dipulihkan darinya di /etc/network/if-pre-up.d/firewall :

#!/bin/sh
/sbin/iptables-restore < /etc/iptables.firewall.rules

/etc/iptables.firewall.rules tampaknya merupakan file lama yang saya buat pada tahun 2015, mengikuti tutorial lama untuk mempertahankan aturan iptables.

Yang harus saya lakukan adalah menambahkan aturan baru saya ke file itu.

Saya kira pelajarannya adalah, setelah memeriksa ufw yang biasa dan iptables-persistent /netfilter-persistent hal-hal, saya hanya harus grep -rn iptables-restore /etc/ . Jika itu tidak menemukan apa-apa, ada juga kemungkinan aturan ditambahkan secara dinamis melalui dbus , jika firewalld diaktifkan.

Mengapa Shotwell Memiliki Posisi X &Y Terbalik Saat Menggunakan Pangkas? Ubuntu Mengubah Perangkat Suara Setelah Ditangguhkan, Bagaimana Cara Memperbaikinya?

Ubuntu