Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

NOTE: CentOS Enterprise Linux is built from the Red Hat Enterprise Linux source code. Other than logo and name changes CentOS Enterprise Linux is compatible with the equivalent Red Hat version. This document applies equally to both Red Hat and CentOS Enterprise Linux.

18.5. iptables Control Scripts

There are two basic methods for controlling iptables under Red Hat Enterprise Linux:

  • Security Level Configuration Tool (system-config-securitylevel) — A graphical interface for creating, activating, and saving basic firewall rules. For more information about how to use this tool, refer to the chapter titled Basic Firewall Configuration in the Red Hat Enterprise Linux System Administration Guide.

  • /sbin/service iptables <option> — A command issued by the root user capable of activating, deactivating, and performing other functions of iptables via its initscript. Replace <option> in the command with one of the following directives:

    • start — If a firewall is configured (meaning /etc/sysconfig/iptables exists), all running iptables are stopped completely and then started using the /sbin/iptables-restore command. The start directive only works if the ipchains kernel module is not loaded.

    • stop — If a firewall is running, the firewall rules in memory are flushed, and all iptables modules and helpers are unloaded.

      If the IPTABLES_SAVE_ON_STOP directive within the /etc/sysconfig/iptables-config configuration file is changed from its default value to yes, current rules are saved to /etc/sysconfig/iptables and any existing rules are moved to the file /etc/sysconfig/iptables.save.

      Refer to Section 18.5.1 iptables Control Scripts Configuration File for more information about the iptables-config file.

    • restart — If a firewall is running, the firewall rules in memory are flushed, and the firewall is started again if it is configured in /etc/sysconfig/iptables. The restart directive only works if the ipchains kernel module is not loaded.

      If the IPTABLES_SAVE_ON_RESTART directive within the /etc/sysconfig/iptables-config configuration file is changed from its default value to yes, current rules are saved to /etc/sysconfig/iptables and any existing rules are moved to the file /etc/sysconfig/iptables.save.

      Refer to Section 18.5.1 iptables Control Scripts Configuration File for more information about the iptables-config file.

    • status — Prints to the shell prompt the status of the firewall and a list of all active rules. If no firewall rules are loaded or configured, it indicates this fact.

      A listing of active rules containing IP addresses within rule lists unless the default value for IPTABLES_STATUS_NUMERIC is changed to no within the /etc/sysconfig/iptables-config configuration file. This change would revert status output to domain and hostname information. Refer to Section 18.5.1 iptables Control Scripts Configuration File for more information about the iptables-config file.

    • panic — Flushes all firewall rules. The policy of all configured tables is set to DROP.

    • save — Saves firewall rules to /etc/sysconfig/iptables using iptables-save. Refer to Section 18.4 Saving iptables Rules for more information.

Tip Tip
 

To use the same initscript commands to control netfilter for IPv6, substitute ip6tables for iptables in the /sbin/service commands listed in this section. For more information about IPv6 and netfilter, refer to Section 18.6 ip6tables and IPv6.

18.5.1. iptables Control Scripts Configuration File

The behavior of the iptables initscripts is controlled by the /etc/sysconfig/iptables-config configuration file. The following is a list of directives contained within this file:

  • IPTABLES_MODULES — Specifies a space-separated list of additional iptables modules to load when a firewall is activated. These can include connection tracking and NAT helpers.

  • IPTABLES_MODULES_UNLOAD — Unloads modules on restart and stop. This directive accepts the following values:

    • yes — The default value. This option must be set to achieve a correct state for a firewall restart or stop.

    • no — This option should only be set if there are problems unloading the netfilter modules.

  • IPTABLES_SAVE_ON_STOP — Saves current firewall rules to /etc/sysconfig/iptables when the firewall is stopped. This directive accepts the following values:

    • yes — Saves existing rules to /etc/sysconfig/iptables when the firewall is stopped, moving the previous version to the /etc/sysconfig/iptables.save file.

    • no — The default value. Does not save existing rules when the firewall is stopped.

  • IPTABLES_SAVE_ON_RESTART — Saves current firewall rules when the firewall is restarted. This directive accepts the following values:

    • yes — Saves existing rules to /etc/sysconfig/iptables when the firewall is restarted, moving the previous version to the /etc/sysconfig/iptables.save file.

    • no — The default value. Does not save existing rules when the firewall is restarted.

  • IPTABLES_SAVE_COUNTER — Saves and restores all packet and byte counters in all chains and rules. This directive accepts the following values:

    • yes — Saves the counter values.

    • no — The default value. Does not save the counter values.

  • IPTABLES_STATUS_NUMERIC — Outputs IP addresses in a status output instead of domain or hostnames. This directive accepts the following values:

    • yes — The default value. Returns only IP addresses within a status output.

    • no — Returns domain or hostnames within a status output.

 
 
  Published under the terms of the GNU General Public License Design by Interspire