このコンテンツは選択した言語では利用できません。
18.5. iptables Control Scripts
There are two basic methods for controlling
iptables under Red Hat Enterprise Linux:
- Security Level Configuration Tool (
system-config-securitylevel) — A graphical interface for creating, activating, and saving basic firewall rules. For more information about how to use this tool, refer to the chapter titled Basic Firewall Configuration in the System Administrators Guide. /sbin/service iptables <option>— A command issued by the root user capable of activating, deactivating, and performing other functions ofiptablesvia its initscript. Replace <option> in the command with one of the following directives:start— If a firewall is configured (meaning/etc/sysconfig/iptablesexists), all runningiptablesare stopped completely and then started using the/sbin/iptables-restorecommand. Thestartdirective only works if theipchainskernel module is not loaded.stop— If a firewall is running, the firewall rules in memory are flushed, and all iptables modules and helpers are unloaded.If theIPTABLES_SAVE_ON_STOPdirective within the/etc/sysconfig/iptables-configconfiguration file is changed from its default value toyes, current rules are saved to/etc/sysconfig/iptablesand any existing rules are moved to the file/etc/sysconfig/iptables.save.Refer to Section 18.5.1, “iptablesControl Scripts Configuration File” for more information about theiptables-configfile.restart— If a firewall is running, the firewall rules in memory are flushed, and the firewall is started again if it is configured in/etc/sysconfig/iptables. Therestartdirective only works if theipchainskernel module is not loaded.If theIPTABLES_SAVE_ON_RESTARTdirective within the/etc/sysconfig/iptables-configconfiguration file is changed from its default value toyes, current rules are saved to/etc/sysconfig/iptablesand any existing rules are moved to the file/etc/sysconfig/iptables.save.Refer to Section 18.5.1, “iptablesControl Scripts Configuration File” for more information about theiptables-configfile.status— Prints to the shell prompt the status of the firewall and a list of all active rules. If no firewall rules are loaded or configured, it indicates this fact.A listing of active rules containing IP addresses within rule lists unless the default value forIPTABLES_STATUS_NUMERICis changed tonowithin the/etc/sysconfig/iptables-configconfiguration file. This change would revert status output to domain and hostname information. Refer to Section 18.5.1, “iptablesControl Scripts Configuration File” for more information about theiptables-configfile.panic— Flushes all firewall rules. The policy of all configured tables is set toDROP.save— Saves firewall rules to/etc/sysconfig/iptablesusingiptables-save. Refer to Section 18.4, “SavingiptablesRules” for more information.
Note
To use the same initscript commands to control netfilter for IPv6, substitute
ip6tables for iptables in the /sbin/service commands listed in this section. For more information about IPv6 and netfilter, refer to Section 18.6, “ip6tables and IPv6”.
18.5.1. iptables Control Scripts Configuration File
The behavior of the
iptables initscripts is controlled by the /etc/sysconfig/iptables-config configuration file. The following is a list of directives contained within this file:
IPTABLES_MODULES— Specifies a space-separated list of additionaliptablesmodules to load when a firewall is activated. These can include connection tracking and NAT helpers.IPTABLES_MODULES_UNLOAD— Unloads modules on restart and stop. This directive accepts the following values:yes— The default value. This option must be set to achieve a correct state for a firewall restart or stop.no— This option should only be set if there are problems unloading the netfilter modules.
IPTABLES_SAVE_ON_STOP— Saves current firewall rules to/etc/sysconfig/iptableswhen the firewall is stopped. This directive accepts the following values:yes— Saves existing rules to/etc/sysconfig/iptableswhen the firewall is stopped, moving the previous version to the/etc/sysconfig/iptables.savefile.no— The default value. Does not save existing rules when the firewall is stopped.
IPTABLES_SAVE_ON_RESTART— Saves current firewall rules when the firewall is restarted. This directive accepts the following values:yes— Saves existing rules to/etc/sysconfig/iptableswhen the firewall is restarted, moving the previous version to the/etc/sysconfig/iptables.savefile.no— The default value. Does not save existing rules when the firewall is restarted.
IPTABLES_SAVE_COUNTER— Saves and restores all packet and byte counters in all chains and rules. This directive accepts the following values:yes— Saves the counter values.no— The default value. Does not save the counter values.
IPTABLES_STATUS_NUMERIC— Outputs IP addresses in a status output instead of domain or hostnames. This directive accepts the following values:yes— The default value. Returns only IP addresses within a status output.no— Returns domain or hostnames within a status output.
