User guide

ManualsBrandsRed Hat ManualsOtherENTERPRISE LINUX 4 - SELINUX GUIDE

101

102

103

104

105

106

107

108

109

110

Chapter 2. Securing Your Network

Note

Note the difference between the iptables command (/sbin/iptables), which is used to

manipulate the tables and chains that constitute the iptables functionality, and the iptables

service (/sbin/service iptables), which is used to enable and disable the iptables

service itself.

2.6.4. IPTables Control Scripts

There are two basic methods for controlling iptables in Red Hat Enterprise Linux:

• Firewall Configuration Tool (system-config-firewall) — A graphical interface for creating,

activating, and saving basic firewall rules. Refer to Section 2.5.2, “Basic Firewall Configuration” for

more information.

• /sbin/service iptables <option> — Used to manipulate various functions of iptables

using its initscript. The following options are available:

• start — If a firewall is configured (that is, /etc/sysconfig/iptables exists), all running

iptables are stopped completely and then started using the /sbin/iptables-restore

command. This option only works if the ipchains kernel module is not loaded. To check if this

module is loaded, type the following command as root:

[root@MyServer ~]# lsmod | grep ipchains

If this command returns no output, it means the module is not loaded. If necessary, use the /

sbin/rmmod command to remove the module.

• stop — If a firewall is running, the firewall rules in memory are flushed, and all iptables modules

and helpers are unloaded.

If the IPTABLES_SAVE_ON_STOP directive in the /etc/sysconfig/iptables-config

configuration file is changed from its default value to yes, current rules are saved to /etc/

sysconfig/iptables and any existing rules are moved to the file /etc/sysconfig/

iptables.save.

Refer to Section 2.6.4.1, “IPTables Control Scripts Configuration File” for more information about

the iptables-config file.

• restart — If a firewall is running, the firewall rules in memory are flushed, and the firewall is

started again if it is configured in /etc/sysconfig/iptables. This option only works if the

ipchains kernel module is not loaded.

If the IPTABLES_SAVE_ON_RESTART directive in the /etc/sysconfig/iptables-config

configuration file is changed from its default value to yes, current rules are saved to /etc/

sysconfig/iptables and any existing rules are moved to the file /etc/sysconfig/

iptables.save.

Refer to Section 2.6.4.1, “IPTables Control Scripts Configuration File” for more information about

the iptables-config file.

• status — Displays the status of the firewall and lists all active rules.

The default configuration for this option displays IP addresses in each rule. To display domain

and hostname information, edit the /etc/sysconfig/iptables-config file and change the