Red Hat SummitQuesto contenuto non è disponibile nella lingua selezionata.
2.8.9.4. IPTables Control Scripts
There are two basic methods for controlling
iptables in Red Hat Enterprise Linux:
- Firewall Configuration Tool (
system-config-firewall) — A graphical interface for creating, activating, and saving basic firewall rules. Refer to Section 2.8.2, “Basic Firewall Configuration” for more information. /sbin/service iptables <option>— Used to manipulate various functions ofiptablesusing its initscript. The following options are available:start— If a firewall is configured (that is,/etc/sysconfig/iptablesexists), all runningiptablesare stopped completely and then started using the/sbin/iptables-restorecommand. This option only works if theipchainskernel module is not loaded. To check if this module is loaded, type the following command as root:lsmod | grep ipchains
~]# lsmod | grep ipchainsCopy to Clipboard Copied! Toggle word wrap Toggle overflow If this command returns no output, it means the module is not loaded. If necessary, use the/sbin/rmmodcommand to remove the module.stop— If a firewall is running, the firewall rules in memory are flushed, and alliptablesmodules and helpers are unloaded.If theIPTABLES_SAVE_ON_STOPdirective in the/etc/sysconfig/iptables-configconfiguration file is changed from its default value toyes, current rules are saved to/etc/sysconfig/iptablesand any existing rules are moved to the file/etc/sysconfig/iptables.save.Refer to Section 2.8.9.4.1, “IPTables Control Scripts Configuration File” for more information about theiptables-configfile.reload— If a firewall is running, the firewall rules are reloaded from the configuration file. Thereloadcommand does not unload helpers that have been in use before, but will add new helpers that have been added to IPTABLES_MODULES (forIPv4) and IP6TABLES_MODULES (forIPv6). The advantage of not flushing the current firewall rules is that if the new rules cannot be applied, because of an error in the rules, the old rules are still in place.restart— If a firewall is running, the firewall rules in memory are flushed, and the firewall is started again if it is configured in/etc/sysconfig/iptables. This option only works if theipchainskernel module is not loaded.If theIPTABLES_SAVE_ON_RESTARTdirective in the/etc/sysconfig/iptables-configconfiguration file is changed from its default value toyes, current rules are saved to/etc/sysconfig/iptablesand any existing rules are moved to the file/etc/sysconfig/iptables.save.Refer to Section 2.8.9.4.1, “IPTables Control Scripts Configuration File” for more information about theiptables-configfile.status— Displays the status of the firewall and lists all active rules.The default configuration for this option displays IP addresses in each rule. To display domain and hostname information, edit the/etc/sysconfig/iptables-configfile and change the value ofIPTABLES_STATUS_NUMERICtono. Refer to Section 2.8.9.4.1, “IPTables Control Scripts Configuration File” for more information about theiptables-configfile.panic— Flushes all firewall rules. The policy of all configured tables is set toDROP.This option could be useful if a server is known to be compromised. Rather than physically disconnecting from the network or shutting down the system, you can use this option to stop all further network traffic but leave the machine in a state ready for analysis or other forensics.save— Saves firewall rules to/etc/sysconfig/iptablesusingiptables-save. Refer to Section 2.8.9.3, “Saving IPTables Rules” for more information.
Note
To use the same initscript commands to control netfilter for IPv6, substitute
ip6tables for iptables in the /sbin/service commands listed in this section. For more information about IPv6 and netfilter, see Section 2.8.9.6, “IPTables and IPv6”.
2.8.9.4.1. IPTables Control Scripts Configuration File
Copia collegamentoCollegamento copiato negli appunti!
The behavior of the
iptables initscripts is controlled by the /etc/sysconfig/iptables-config configuration file. The following is a list of directives contained in this file:
IPTABLES_MODULES— Specifies a space-separated list of additionaliptablesmodules to load when a firewall is activated. These can include connection tracking and NAT helpers.IPTABLES_MODULES_UNLOAD— Unloads modules on restart and stop. This directive accepts the following values:yes— The default value. This option must be set to achieve a correct state for a firewall restart or stop.no— This option should only be set if there are problems unloading the netfilter modules.
IPTABLES_SAVE_ON_STOP— Saves current firewall rules to/etc/sysconfig/iptableswhen the firewall is stopped. This directive accepts the following values:yes— Saves existing rules to/etc/sysconfig/iptableswhen the firewall is stopped, moving the previous version to the/etc/sysconfig/iptables.savefile.no— The default value. Does not save existing rules when the firewall is stopped.
IPTABLES_SAVE_ON_RESTART— Saves current firewall rules when the firewall is restarted. This directive accepts the following values:yes— Saves existing rules to/etc/sysconfig/iptableswhen the firewall is restarted, moving the previous version to the/etc/sysconfig/iptables.savefile.no— The default value. Does not save existing rules when the firewall is restarted.
IPTABLES_SAVE_COUNTER— Saves and restores all packet and byte counters in all chains and rules. This directive accepts the following values:yes— Saves the counter values.no— The default value. Does not save the counter values.
IPTABLES_STATUS_NUMERIC— Outputs IP addresses in numeric form instead of domain or hostnames. This directive accepts the following values:yes— The default value. Returns only IP addresses within a status output.no— Returns domain or hostnames within a status output.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}