2.6.4. IPTables Control Scripts

There are two basic methods for controlling iptables in Red Hat Enterprise Linux:

Firewall Configuration Tool (system-config-firewall) — A graphical interface for creating, activating, and saving basic firewall rules. Refer to Section 2.5.2, “Basic Firewall Configuration” for more information.
/sbin/service iptables <option> — Used to manipulate various functions of iptables using its initscript. The following options are available:
- start — If a firewall is configured (that is, /etc/sysconfig/iptables exists), all running iptables are stopped completely and then started using the /sbin/iptables-restore command. This option only works if the ipchains kernel module is not loaded. To check if this module is loaded, type the following command as root:
```
 [root@MyServer ~]# lsmod | grep ipchains 
```
  If this command returns no output, it means the module is not loaded. If necessary, use the /sbin/rmmod command to remove the module.
- stop — If a firewall is running, the firewall rules in memory are flushed, and all iptables modules and helpers are unloaded.
  If the IPTABLES_SAVE_ON_STOP directive in the /etc/sysconfig/iptables-config configuration file is changed from its default value to yes, current rules are saved to /etc/sysconfig/iptables and any existing rules are moved to the file /etc/sysconfig/iptables.save.
  Refer to Section 2.6.4.1, “IPTables Control Scripts Configuration File” for more information about the iptables-config file.
- restart — If a firewall is running, the firewall rules in memory are flushed, and the firewall is started again if it is configured in /etc/sysconfig/iptables. This option only works if the ipchains kernel module is not loaded.
  If the IPTABLES_SAVE_ON_RESTART directive in the /etc/sysconfig/iptables-config configuration file is changed from its default value to yes, current rules are saved to /etc/sysconfig/iptables and any existing rules are moved to the file /etc/sysconfig/iptables.save.
  Refer to Section 2.6.4.1, “IPTables Control Scripts Configuration File” for more information about the iptables-config file.
- status — Displays the status of the firewall and lists all active rules.
  The default configuration for this option displays IP addresses in each rule. To display domain and hostname information, edit the /etc/sysconfig/iptables-config file and change the value of IPTABLES_STATUS_NUMERIC to no. Refer to Section 2.6.4.1, “IPTables Control Scripts Configuration File” for more information about the iptables-config file.
- panic — Flushes all firewall rules. The policy of all configured tables is set to DROP.
  This option could be useful if a server is known to be compromised. Rather than physically disconnecting from the network or shutting down the system, you can use this option to stop all further network traffic but leave the machine in a state ready for analysis or other forensics.
- save — Saves firewall rules to /etc/sysconfig/iptables using iptables-save. Refer to Section 2.6.3, “Saving IPTables Rules” for more information.

Note

To use the same initscript commands to control netfilter for IPv6, substitute ip6tables for iptables in the /sbin/service commands listed in this section. For more information about IPv6 and netfilter, refer to Section 2.6.5, “IPTables and IPv6”.

2.6.4.1. IPTables Control Scripts Configuration File

The behavior of the iptables initscripts is controlled by the /etc/sysconfig/iptables-config configuration file. The following is a list of directives contained in this file:

IPTABLES_MODULES — Specifies a space-separated list of additional iptables modules to load when a firewall is activated. These can include connection tracking and NAT helpers.
IPTABLES_MODULES_UNLOAD — Unloads modules on restart and stop. This directive accepts the following values:
- yes — The default value. This option must be set to achieve a correct state for a firewall restart or stop.
- no — This option should only be set if there are problems unloading the netfilter modules.
IPTABLES_SAVE_ON_STOP — Saves current firewall rules to /etc/sysconfig/iptables when the firewall is stopped. This directive accepts the following values:
- yes — Saves existing rules to /etc/sysconfig/iptables when the firewall is stopped, moving the previous version to the /etc/sysconfig/iptables.save file.
- no — The default value. Does not save existing rules when the firewall is stopped.
IPTABLES_SAVE_ON_RESTART — Saves current firewall rules when the firewall is restarted. This directive accepts the following values:
- yes — Saves existing rules to /etc/sysconfig/iptables when the firewall is restarted, moving the previous version to the /etc/sysconfig/iptables.save file.
- no — The default value. Does not save existing rules when the firewall is restarted.
IPTABLES_SAVE_COUNTER — Saves and restores all packet and byte counters in all chains and rules. This directive accepts the following values:
- yes — Saves the counter values.
- no — The default value. Does not save the counter values.
IPTABLES_STATUS_NUMERIC — Outputs IP addresses in numeric form instead of domain or hostnames. This directive accepts the following values:
- yes — The default value. Returns only IP addresses within a status output.
- no — Returns domain or hostnames within a status output.