2.8.9.4. IPTables Control Scripts


There are two basic methods for controlling iptables in Red Hat Enterprise Linux:
  • Firewall Configuration Tool (system-config-firewall) — A graphical interface for creating, activating, and saving basic firewall rules. Refer to Section 2.8.2, “Basic Firewall Configuration” for more information.
  • /sbin/service iptables <option> — Used to manipulate various functions of iptables using its initscript. The following options are available:
    • start — If a firewall is configured (that is, /etc/sysconfig/iptables exists), all running iptables are stopped completely and then started using the /sbin/iptables-restore command. This option only works if the ipchains kernel module is not loaded. To check if this module is loaded, type the following command as root:
      ~]# lsmod | grep ipchains
      If this command returns no output, it means the module is not loaded. If necessary, use the /sbin/rmmod command to remove the module.
    • stop — If a firewall is running, the firewall rules in memory are flushed, and all iptables modules and helpers are unloaded.
      If the IPTABLES_SAVE_ON_STOP directive in the /etc/sysconfig/iptables-config configuration file is changed from its default value to yes, current rules are saved to /etc/sysconfig/iptables and any existing rules are moved to the file /etc/sysconfig/iptables.save.
      Refer to Section 2.8.9.4.1, “IPTables Control Scripts Configuration File” for more information about the iptables-config file.
    • reload — If a firewall is running, the firewall rules are reloaded from the configuration file. The reload command does not unload helpers that have been in use before, but will add new helpers that have been added to IPTABLES_MODULES (for IPv4) and IP6TABLES_MODULES (for IPv6). The advantage of not flushing the current firewall rules is that if the new rules cannot be applied, because of an error in the rules, the old rules are still in place.
    • restart — If a firewall is running, the firewall rules in memory are flushed, and the firewall is started again if it is configured in /etc/sysconfig/iptables. This option only works if the ipchains kernel module is not loaded.
      If the IPTABLES_SAVE_ON_RESTART directive in the /etc/sysconfig/iptables-config configuration file is changed from its default value to yes, current rules are saved to /etc/sysconfig/iptables and any existing rules are moved to the file /etc/sysconfig/iptables.save.
      Refer to Section 2.8.9.4.1, “IPTables Control Scripts Configuration File” for more information about the iptables-config file.
    • status — Displays the status of the firewall and lists all active rules.
      The default configuration for this option displays IP addresses in each rule. To display domain and hostname information, edit the /etc/sysconfig/iptables-config file and change the value of IPTABLES_STATUS_NUMERIC to no. Refer to Section 2.8.9.4.1, “IPTables Control Scripts Configuration File” for more information about the iptables-config file.
    • panic — Flushes all firewall rules. The policy of all configured tables is set to DROP.
      This option could be useful if a server is known to be compromised. Rather than physically disconnecting from the network or shutting down the system, you can use this option to stop all further network traffic but leave the machine in a state ready for analysis or other forensics.
    • save — Saves firewall rules to /etc/sysconfig/iptables using iptables-save. Refer to Section 2.8.9.3, “Saving IPTables Rules” for more information.

Note

To use the same initscript commands to control netfilter for IPv6, substitute ip6tables for iptables in the /sbin/service commands listed in this section. For more information about IPv6 and netfilter, see Section 2.8.9.6, “IPTables and IPv6”.
2.8.9.4.1. IPTables Control Scripts Configuration File
The behavior of the iptables initscripts is controlled by the /etc/sysconfig/iptables-config configuration file. The following is a list of directives contained in this file:
  • IPTABLES_MODULES — Specifies a space-separated list of additional iptables modules to load when a firewall is activated. These can include connection tracking and NAT helpers.
  • IPTABLES_MODULES_UNLOAD — Unloads modules on restart and stop. This directive accepts the following values:
    • yes — The default value. This option must be set to achieve a correct state for a firewall restart or stop.
    • no — This option should only be set if there are problems unloading the netfilter modules.
  • IPTABLES_SAVE_ON_STOP — Saves current firewall rules to /etc/sysconfig/iptables when the firewall is stopped. This directive accepts the following values:
    • yes — Saves existing rules to /etc/sysconfig/iptables when the firewall is stopped, moving the previous version to the /etc/sysconfig/iptables.save file.
    • no — The default value. Does not save existing rules when the firewall is stopped.
  • IPTABLES_SAVE_ON_RESTART — Saves current firewall rules when the firewall is restarted. This directive accepts the following values:
    • yes — Saves existing rules to /etc/sysconfig/iptables when the firewall is restarted, moving the previous version to the /etc/sysconfig/iptables.save file.
    • no — The default value. Does not save existing rules when the firewall is restarted.
  • IPTABLES_SAVE_COUNTER — Saves and restores all packet and byte counters in all chains and rules. This directive accepts the following values:
    • yes — Saves the counter values.
    • no — The default value. Does not save the counter values.
  • IPTABLES_STATUS_NUMERIC — Outputs IP addresses in numeric form instead of domain or hostnames. This directive accepts the following values:
    • yes — The default value. Returns only IP addresses within a status output.
    • no — Returns domain or hostnames within a status output.
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.