查看

# hostnamectl
  Operating System: CentOS Linux 7 (Core)
       CPE OS Name: cpe:/o:centos:centos:7
            Kernel: Linux 3.10.0-957.12.1.el7.x86_64
      Architecture: x86-64
E0314 18:12:59.860611   18056 proxier.go:430] Failed to execute iptables-restore for nat: exit status 1 (iptables-restore: line 7 failed
E0406 08:55:09.016861   14011 proxier.go:430] Failed to execute iptables-restore for nat: exit status 1 (iptables-restore: line 7 failed
E0501 22:26:04.529463   25878 proxier.go:430] Failed to execute iptables-restore for nat: exit status 1 (iptables-restore: line 6 failed
E0506 11:18:24.209635   26103 proxier.go:430] Failed to execute iptables-restore for nat: exit status 1 (iptables-restore: line 7 failed
E0506 11:18:48.060733   26595 proxier.go:430] Failed to execute iptables-restore for nat: exit status 1 (iptables-restore: line 7 failed
E0506 11:20:10.861899   27305 proxier.go:430] Failed to execute iptables-restore for nat: exit status 1 (iptables-restore: line 6 failed
E0506 11:24:45.973404   27939 proxier.go:430] Failed to execute iptables-restore for nat: exit status 1 (iptables-restore: line 6 failed
E0506 11:26:47.890014   29052 proxier.go:430] Failed to execute iptables-restore for nat: exit status 1 (iptables-restore: line 7 failed
E0526 11:19:26.737418    6591 proxier.go:1187] Failed to execute iptables-restore: exit status 2 (iptables-restore v1.4.21: Couldn't load target `KUBE-MARK-DROP':No such file or directory
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
####
I0528 16:53:50.862567   12228 iptables.go:327] running iptables-save [-t nat]
I0528 16:53:50.865041   12228 iptables.go:391] running iptables-restore [-w 5 -T nat --noflush --counters]
E0528 16:53:50.873001   12228 proxier.go:430] Failed to execute iptables-restore for nat: exit status 1 (iptables-restore: line 7 failed
)
sudo iptables --version
iptables v1.4.21
sudo iptables-restore --help
Usage: iptables-restore [-b] [-c] [-v] [-V]  [-t] [-h] [-W usecs]
	   [ --binary ]
	   [ --counters ]
	   [ --verbose ]
	   [ --version]
	   [ --test ]
	   [ --help ]
	   [ --noflush ]
	   [ --wait=<seconds>
	   [ --wait-interval=<usecs>
	   [ --table=<TABLE> ]
	   [ --modprobe=<command>]

编译

## 安装gcc等依赖
sudo yum install -y net-tools curl wget git vim jq socat conntrack ipvsadm ipset sysstat libseccomp gcc gcc-c++ cmake make bzip2 automake autoconf libtool flex bison pcre-devel zlib-devel openssl openssl-devel bridge-utils bind-utils
sudo yum install -y libnfnetlink-devel libnl3 libnl3-devel systemd-devel libuuid-devel
sudo yum install -y device-mapper-persistent-data lvm2
sudo yum install -y libmnl-devel libnftnl-devel libnetfilter_conntrack-devel libnetfilter_queue-devel libpcap-devel
## 下载
wget http://ftp.netfilter.org/pub/iptables/iptables-1.6.2.tar.bz2
tar -xjf iptables-1.6.2.tar.bz2
cd iptables-1.6.2
./configure --prefix=/usr/local --with-xt-lock-name=/var/run/xtables.lock --enable-libipq --enable-nfsynproxy --enable-bpf-compiler
## 编译
make
## 安装
sudo make install
## 替换
sudo rm -rf /usr/sbin/iptables
sudo rm -rf /usr/sbin/iptables-restore
sudo rm -rf /usr/sbin/iptables-save
sudo rm -rf /usr/bin/iptables-xml
sudo ln -s /usr/local/sbin/xtables-multi /usr/bin/iptables-xml 
sudo ln -s /usr/local/sbin/xtables-multi /usr/sbin/iptables 
sudo ln -s /usr/local/sbin/xtables-multi /usr/sbin/iptables-restore 
sudo ln -s /usr/local/sbin/xtables-multi /usr/sbin/iptables-save 
## 查看版本
iptables --version
iptables v1.6.2
## 查看iptables-restore
sudo iptables-restore --help
Usage: iptables-restore [-c] [-v] [-V] [-t] [-h] [-n] [-w secs] [-W usecs] [-T table] [-M command]
	   [ --counters ]
	   [ --verbose ]
	   [ --version]
	   [ --test ]
	   [ --help ]
	   [ --noflush ]
	   [ --wait=<seconds>
	   [ --wait-interval=<usecs>
	   [ --table=<TABLE> ]
	   [ --modprobe=<command> ]
## 重启电脑
sudo reboot

报错

*** Error: No suitable libmnl found. ***
    Please install the 'libmnl' package
    Or consider --disable-nftables to skip
    iptables-compat over nftables support.

*** Error: no suitable libnftnl found. ***
    Please install the 'libnftnl' package
    Or consider --disable-nftables to skip
    iptables-compat over nftables support.

---> Package libmnl-devel.x86_64 0:1.0.3-7.el7 will be installed
---> Package libnftnl.x86_64 0:1.0.8-1.el7 will be installed
---> Package libnetfilter_conntrack-devel.x86_64 0:1.0.6-1.el7_3 will be installed
---> Package libnetfilter_queue-devel.x86_64 0:1.0.2-2.el7_2 will be installed



Iptables Configuration:
  IPv4 support:				yes
  IPv6 support:				yes
  Devel support:			yes
  IPQ support:				no
  Large file support:			yes
  BPF utils support:			no
  nfsynproxy util support:		no
  nftables support:			yes
  connlabel support:			no

Build parameters:
  Put plugins into executable (static):	no
  Support plugins via dlopen (shared):	yes
  Installation prefix (--prefix):	/usr/local
  Xtables extension directory:		/usr/local/lib/xtables
  Pkg-config directory:			/usr/local/lib/pkgconfig
  Xtables lock file:			/run/xtables.lock
  Host:					x86_64-pc-linux-gnu
  GCC binary:				gcc

Iptables modules that will not be built:  connlabel




WARNING: libnetfilter_conntrack not found, connlabel match will not be built
checking that generated files are newer than configure... done
configure: creating ./config.status
config.status: creating Makefile
config.status: creating extensions/GNUmakefile
config.status: creating include/Makefile
config.status: creating iptables/Makefile
config.status: creating iptables/xtables.pc
config.status: creating iptables/iptables.8
config.status: creating iptables/iptables-extensions.8.tmpl
config.status: creating iptables/iptables-save.8
config.status: creating iptables/iptables-restore.8
config.status: creating iptables/iptables-apply.8
config.status: creating iptables/iptables-xml.1
config.status: creating libipq/Makefile
config.status: creating libipq/libipq.pc
config.status: creating libiptc/Makefile
config.status: creating libiptc/libiptc.pc
config.status: creating libiptc/libip4tc.pc
config.status: creating libiptc/libip6tc.pc
config.status: creating libxtables/Makefile
config.status: creating utils/Makefile
config.status: creating include/xtables-version.h
config.status: creating include/iptables/internal.h
config.status: creating utils/nfnl_osf.8
config.status: creating config.h
config.status: executing depfiles commands
config.status: executing libtool commands

Iptables Configuration:
  IPv4 support:				yes
  IPv6 support:				yes
  Devel support:			yes
  IPQ support:				no
  Large file support:			yes
  BPF utils support:			no
  nfsynproxy util support:		no
  nftables support:			yes
  connlabel support:			no

Build parameters:
  Put plugins into executable (static):	no
  Support plugins via dlopen (shared):	yes
  Installation prefix (--prefix):	/usr/local
  Xtables extension directory:		/usr/local/lib/xtables
  Pkg-config directory:			/usr/local/lib/pkgconfig
  Xtables lock file:			/run/xtables.lock
  Host:					x86_64-pc-linux-gnu
  GCC binary:				gcc

Iptables modules that will not be built:  connlabel


Iptables Configuration:
  IPv4 support:				yes
  IPv6 support:				yes
  Devel support:			yes
  IPQ support:				no
  Large file support:			yes
  BPF utils support:			no
  nfsynproxy util support:		no
  nftables support:			yes
  connlabel support:			yes


error: missing libpcap library required by bpf compiler or nfsynproxy tool


Iptables Configuration:
  IPv4 support:				yes
  IPv6 support:				yes
  Devel support:			yes
  IPQ support:				yes
  Large file support:			yes
  BPF utils support:			yes
  nfsynproxy util support:		yes
  nftables support:			yes
  connlabel support:			yes

Build parameters:
  Put plugins into executable (static):	no
  Support plugins via dlopen (shared):	yes
  Installation prefix (--prefix):	/usr/local
  Xtables extension directory:		/usr/local/lib/xtables
  Pkg-config directory:			/usr/local/lib/pkgconfig
  Xtables lock file:			/var/run/xtables.lock
  Host:					x86_64-pc-linux-gnu
  GCC binary:				gcc

参考