Activating the IPTables Service
The firewall rules are only active if the iptables service is running. To manually start the service, use the following command:
[[email protected] ~] # service iptables restart
To ensure that iptables starts when the system is booted, use the following command:
[[email protected] ~] # chkconfig --level 345 iptables on
The ipchains service is not included in Red Hat Enterprise Linux. However, if ipchains is installed (for example, an upgrade was performed and the system had ipchains previously installed), the ipchains and iptables services should not be activated simultaneously. To make sure the ipchains service is disabled and configured not to start at boot time, use the following two commands:
[[email protected] ~] # service ipchains stop
[[email protected] ~] # chkconfig --level 345 ipchains off
The first step in using iptables is to start the iptables service. Use the following command to start the iptables service:
[[email protected] ~] # service iptables start
Show current IPTables config
To show all current settings in the IPTables program, execute the following command:
[[email protected] ~] # iptables –L
IPTables Command Syntax
The following sample iptables command illustrates the basic command syntax:
[[email protected]r ~ ] # iptables -A <chain> -j <target>
The -A option specifies that the rule be appended to <chain>. Each chain is comprised of one or more rules, and is therefore also known as a ruleset.
The three built-in chains are INPUT, OUTPUT, and FORWARD. These chains are permanent and cannot be deleted. The chain specifies the point at which a packet is manipulated.
The -j <target> option specifies the target of the rule; i.e., what to do if the packet matches the rule. Examples of built-in targets are ACCEPT, DROP, and REJECT.
When creating an iptables ruleset, order is important.
If a rule specifies that any packets from the 192.168.100.0/24 subnet be dropped, and this is followed by a rule that allows packets from 192.168.100.13 (which is within the dropped subnet), then the second rule is ignored.
The rule to allow packets from 192.168.100.13 must precede the rule that drops the remainder of the subnet.
To insert a rule in a specific location in an existing chain, use the -I option. For example:
[[email protected] ~ ] # iptables -I INPUT 1 -i lo -p all -j ACCEPT
This rule is inserted as the first rule in the INPUT chain to allow local loopback device traffic.
Saving and Restoring IPTables Rules
Changes to iptables are transitory; if the system is rebooted or if the iptables service is restarted, the rules are automatically flushed and reset. To save the rules so that they are loaded when the iptables service is started, use the following command:
[[email protected] ~ ] # service iptables save
The rules are stored in the file /etc/sysconfig/iptables and are applied whenever the service is started or the machine is rebooted.