Red Hat ENTERPRISE LINUX 3 Reference Manual

Also see for ENTERPRISE LINUX 3 - SECURITY GUIDE: Tuning guide Installation guide Installation guide Installation guide Manual

Contents

262 Chapter 17. iptables17.5. iptables Control ScriptsThere are two basic methods for controlling iptables under Red Hat Enterprise Linux:• Security Level Configuration Tool (redhat-config-securitylevel) — A graphical inter-face for creating, activating, and saving basic firewall rules. For more information about how to usethis tool, refer to the chapter titled Basic Firewall Configuration in the Red Hat Enterprise LinuxSystem Administration Guide.• /sbin/service iptables option — A command issued by the root user capable ofactivating, deactivating, and performing other functions of iptables via its initscript. Replaceoption in the command with one of the following directives:• start — If a firewall is configured (meaning /etc/sysconfig/iptables exists), all run-ning iptables are stopped completely and then started using the /sbin/iptables-restorecommand. The start directive will only work if the ipchains kernel module is not loaded.• stop — If a firewall is running, the firewall rules in memory are flushed, and all iptables modulesand helpers are unloaded.If the IPTABLES_SAVE_ON_STOP directive within the /etc/sysconfig/iptables-configconfiguration file is changed from its default value to yes, current rules are savedto /etc/sysconfig/iptables and any existing rules are moved to the file/etc/sysconfig/iptables.save.Refer to Section 17.5.1 iptables Control Scripts Configuration File for more information aboutthe iptables-config file.• restart — If a firewall is running, the firewall rules in memory are flushed, and the firewallis started again if it is configured in /etc/sysconfig/iptables. The restart directive willonly work if the ipchains kernel module is not loaded.If the IPTABLES_SAVE_ON_RESTART directive within the/etc/sysconfig/iptables-config configuration file is changed from its default value toyes, current rules are saved to /etc/sysconfig/iptables and any existing rules are movedto the file /etc/sysconfig/iptables.save.Refer to Section 17.5.1 iptables Control Scripts Configuration File for more information aboutthe iptables-config file.• status — Prints to the shell prompt the status of the firewall and a list of all active rules. If nofirewall rules are loaded or configured, it indicates this fact.A listing of active rules containing domain and hostnames within rules lists unlessthe default value for IPTABLES_STATUS_NUMERIC is changed to yes within the/etc/sysconfig/iptables-config configuration file. Refer to Section 17.5.1 iptablesControl Scripts Configuration File for more information about the iptables-config file.• panic — Flushes all firewall rules. The policy of all configured tables is set to DROP.• save — Saves firewall rules to /etc/sysconfig/iptables using iptables-save. Refer toSection 17.4 Saving iptables Rules for more information about saving firewall rules.TipTo use the same initscript commands to control netfilter for IPv6, substitute ip6tables for iptablesin the /sbin/service commands listed in this section. For more information about IPv6 and netfilter,refer to Section 17.6 ip6tables and IPv6.