rip asi acl chains cte loaded ant input conf

centos 6下面修改防火墻
vi /etc/sysconfig/iptables 增加這個
-A INPUT -p 112 -d 224.0.0.0/32 -j ACCEPT #-p 112指定協議為112，也可-p vrrp即vrrp，keepalived組播地址是224.0.0.18

centos7下面改防火墻
firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 0 --in-interface enp4s0 --destination 224.0.0.18 --protocol vrrp -j ACCEPT
firewall-cmd --reload

suse下面修改防火墻
vi /etc/sysconfig/SuSEfirewall2
將下面這行的註釋去掉
FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
並將下面這行註釋掉
FW_CUSTOMRULES=""

然後
vi /etc/sysconfig/scripts/SuSEfirewall2-custom

fw_custom_before_port_handling() {

# these rules will be loaded after the anti-spoofing and icmp handling
# and after the input has been redirected to the input_XXX and

# forward_XXX chains and some basic chain-specific anti-circumvention
# rules have been set,
# but before any IP protocol or TCP/UDP port allow/protection rules
# will be set.
# You can use this hook to allow/deny certain IP protocols or TCP/UDP
# ports before the SuSEfirewall2 generated rules are hit.

#添加下面這行
iptables -A INPUT -p vrrp -j ACCEPT -d 224.0.0.18
true
}

http://www.kikikoo.com/uid-20794884-id-5704461.html

謝謝谷歌，謝謝上面這位大神~

參考： https://docs.oracle.com/cd/E37670_01/E41138/html/section_ksr_psb_nr.html

SLES 12 sp2開啟SuSEfirewall2 防火墻後，放行VRRP協議 （用於keepalived搭建高可用規則）