Installation guide

ManualsBrandsPythonQ ManualsIndustrial248-8XX

171

172

173

174

175

176

177

178

179

180

Chapter 13. Firewalls and iptables 175

• --log-prefix — Places a string before the log line when it is written. Accepts up to 29

characters after the --log-prefix option. This is useful for writing syslog ﬁlters for use in

conjunction with packet logging.

• --log-tcp-options — Any options set in the header of a TCP packet is logged

• --log-tcp-sequence — Writes the TCP sequence number for the packet in the log.

• REJECT — Sends an error packet back to the system which sent the packet, and then drops the

packet. This target is useful if you would like to notify the system sending the matching packet of

the problem.

The REJECT target accepts a --reject-with

type option which allows more detailed infor-

mation to be sent with the error packet. The message port-unreachable is the default

type

error given if no other option is used. For a full list of type options that can be used, see the

iptables man page.

Other target extensions, including several that are useful with masquerading using the nat table or

with packet alteration using the mangle table, can be found in the iptables man page.

13.3.7. Listing Options

The default list command, iptables -L, provides a very basic overview of the default ﬁlter table’s

current chains. Additional options provide more information and arrange that information in speciﬁc

ways:

• -v — Display verbose output, such as the number of packets and bytes each chain has seen, the

number of packets and bytes each rule has matched, and which interfaces apply to a particular rule.

• -x — Expands numbers into their exact values. On a busy system, the number of packets and

bytes seen by a particular chain or rule may be abbreviated using K (thousands), M (millions), and G

(billions) at the end of the number. This option forces the full number to be displayed.

• -n — Displays IP addresses and port numbers in numeric format, rather than the default hostname

and network service format.

• --line-numbers — Lists rules in each chain next to their numeric order in the chain. This option

is useful when attempting to delete a speciﬁc rule in a chain, or to locate where to insert a rule

within a chain.

13.4. Storing iptables Information

Rules created with the iptables command are stored in RAM only. If you restart your system after

setting up iptables rules, they will be lost. So in order for netﬁlter rules to persist through system

reboot, you need to save them to the /etc/sysconfig/iptables ﬁle.

To do this, type the /sbin/service iptables save command as the root user. This causes the

iptables init script to run the /sbin/iptables-save program and write the current iptables

conﬁguration to the /etc/sysconfig/iptables ﬁle. This ﬁle should only be readable by root, so

your packet ﬁltering rules are not viewable by average users.

The next time the system boots, the iptables init script will reapply the rules saved in

/etc/sysconfig/iptables by using the /sbin/iptables-restore command.

While it is always a good idea to test a new iptables rule before committing it to the

/etc/sysconfig/iptables ﬁle, it is possible to copy iptables rules into this ﬁle from another