It’s quite simple and but very useful thing. I have already posted the basics of IPTables in Linux, you may check this for more details >> IPTables basics <<
The iptables rules are saved in the file “/etc/sysconfig/iptables” under a Unix architecture. You can view/edit iptables rules from this file. See the sample entries:
root@test [~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Fri May 2 00:54:58 2014
*nat
:PREROUTING ACCEPT [1:60]
:POSTROUTING ACCEPT [7:636]
:OUTPUT ACCEPT [7:636]
COMMIT
# Completed on Fri May 2 00:54:58 2014
# Generated by iptables-save v1.4.7 on Fri May 2 00:54:58 2014
*mangle
:PREROUTING ACCEPT [890360:501351591]
:INPUT ACCEPT [890360:501351591]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [876347:125010352]
:POSTROUTING ACCEPT [847830:121738569]
COMMIT
# Completed on Fri May 2 00:54:58 2014
# Generated by iptables-save v1.4.7 on Fri May 2 00:54:58 2014
*filter
:INPUT ACCEPT [4:304]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4:496]
:acctboth - [0:0]
-A INPUT -p tcp -m tcp --dport 49152:65534 -j ACCEPT
-A INPUT -j acctboth
-A OUTPUT -j acctboth
-A acctboth -s IP.ADD.RESS/32 ! -i lo -p tcp -m tcp --dport 80
-A acctboth -d IP.ADD.RESS/32 ! -i lo -p tcp -m tcp --sport 80
-A acctboth -s IP.ADD.RESS/32 ! -i lo -p tcp -m tcp --dport 25
-A acctboth -d IP.ADD.RESS/32 ! -i lo -p tcp -m tcp --sport 25
-A acctboth ! -i lo
COMMIT
# Completed on Fri May 2 00:54:58 2014
There is one more configuration file ‘/etc/sysconfig/iptables-config‘ to control iptables init-script. You can set up a lot of things on this file. See the important directives in ‘/etc/sysconfig/iptables-config‘ file:
1, IPTABLES_MODULES
Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which are loaded after the firewall rules are applied. Options for the helpers are stored in /etc/modprobe.conf.
IPTABLES_MODULES=""
2, IPTABLES_MODULES_UNLOAD
Unload modules on restart and stop
Value: yes|no, default: yes
This option has to be 'yes' to get to a sane state for a firewall restart or stop. Only set to 'no' if there are problems unloading netfilter modules.
IPTABLES_MODULES_UNLOAD="yes"
3, IPTABLES_SAVE_ON_STOP
Save current firewall rules on stop.
Value: yes|no, default: no
Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped (e.g. on system shutdown).
IPTABLES_SAVE_ON_STOP="no"
4, IPTABLES_SAVE_ON_RESTART
Save current firewall rules on restart.
Value: yes|no, default: no
Saves all firewall rules to /etc/sysconfig/iptables if firewall gets restarted.
IPTABLES_SAVE_ON_RESTART="no"
5, IPTABLES_SAVE_COUNTER
Save (and restore) rule and chain counter.
Value: yes|no, default: no
Save counters for rules and chains to /etc/sysconfig/iptables if 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or SAVE_ON_RESTART is enabled.
IPTABLES_SAVE_COUNTER="no"
6, IPTABLES_STATUS_NUMERIC
Numeric status output
Value: yes|no, default: yes
Print IP addresses and port numbers in numeric format in the status output.
IPTABLES_STATUS_NUMERIC="yes"
7, IPTABLES_STATUS_VERBOSE
Verbose status output
Value: yes|no, default: yes
Print info about the number of packets and bytes plus the "input-" and "outputdevice" in the status output.
IPTABLES_STATUS_VERBOSE="no"
8, IPTABLES_STATUS_LINENUMBERS
Status output with numbered lines
Value: yes|no, default: yes
Print a counter/number for every rule in the status output.
IPTABLES_STATUS_LINENUMBERS="yes"
9, IPTABLES_SYSCTL_LOAD_LIST
Reload sysctl settings on start and restart
Default: -none-
Space separated list of sysctl items which are to be reloaded on start. List items will be matched by fgrep.
#IPTABLES_SYSCTL_LOAD_LIST=".nf_conntrack .bridge-nf"
that’s it!
Related Links
1, What is iptables in Linux ?
2, IPTables rules for icmp
3, How to block/unblock an IP address in your Linux server
4, How to prevent DoS attack on server using IPTables or CSF
