默认/etc/sysoncifg/iptables-config的配置内容:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
|
# Load additional iptables modules (nat helpers)# Default: -none-# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which# are loaded after the firewall rules are applied. Options for the helpers are# stored in /etc/modprobe.conf.IPTABLES_MODULES="ip_conntrack_netbios_ns"# Unload modules on restart and stop# Value: yes|no, default: yes# This option has to be 'yes' to get to a sane state for a firewall# restart or stop. Only set to 'no' if there are problems unloading netfilter# modules.IPTABLES_MODULES_UNLOAD="yes"# Save current firewall rules on stop.# Value: yes|no, default: no# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped# (e.g. on system shutdown).IPTABLES_SAVE_ON_STOP="no"# Save current firewall rules on restart.# Value: yes|no, default: no# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets# restarted.IPTABLES_SAVE_ON_RESTART="no"# Save (and restore) rule and chain counter.# Value: yes|no, default: no# Save counters for rules and chains to /etc/sysconfig/iptables if# 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or# SAVE_ON_RESTART is enabled.IPTABLES_SAVE_COUNTER="no"# Numeric status output# Value: yes|no, default: yes# Print IP addresses and port numbers in numeric format in the status output.IPTABLES_STATUS_NUMERIC="yes"# Verbose status output# Value: yes|no, default: yes# Print info about the number of packets and bytes plus the "input-" and# "outputdevice" in the status output.IPTABLES_STATUS_VERBOSE="no"# Status output with numbered lines# Value: yes|no, default: yes# Print a counter/number for every rule in the status output.IPTABLES_STATUS_LINENUMBERS="yes" |
IPTABLES_MODULES="ip_conntrack_netbios_ns"
在防火墙被激活时,指定一组独立的空间额外加载iptables模块,系统启动,加载防火墙模块,会打印:Loading additional iptables modules: ip_conntrack_netbios_ns[ OK ]
IPTABLES_MODULES_UNLOAD="yes"
在重新启动和停止iptables模块时,是否卸载此模块。
IPTABLES_SAVE_ON_STOP="no"
当防火墙停止时,保存当前防火墙规则到iptables文件,no :(默认值)不保存当前的规则到iptables文件。
IPTABLES_SAVE_ON_RESTART="no"
当防火墙重启时:service iptables restart,保存当前防火墙规则到iptables文件,no :(默认值)不保存当前的规则到iptables文件。
IPTABLES_SAVE_COUNTER="no"
保存并恢复所有chain和规则中的数据包和字节计数器,yes:保存计数器的值,no:(默认值)不保存计数器值。
IPTABLES_STATUS_NUMERIC="yes"
输出的IP地址是数字的格式,而不是域名和主机名的形式,yes:(默认值)在状态输出中只包括IP地址,no:在状态输出中返回域名或主机名。
IPTABLES_STATUS_VERBOSE="no"
输出iptables状态时,是否包含输入输出设备,yes:包含,no:(默认值)不包含。
IPTABLES_STATUS_LINENUMBERS="yes"
输出iptables状态时,是否同时输出每条规则的匹配数,yes:(默认值)输出,no:不输出。
查看防火墙状态:service iptables status
重启防火墙:service iptables restart
|
1
2
3
4
5
|
# service iptables restartiptables: Flushing firewall rules: [ OK ]iptables: Setting chains to policy ACCEPT: filter [ OK ]iptables: Unloading modules: [ OK ]iptables: Applying firewall rules: [ OK ] |
重启防火墙,清除规则和卸载模块,然后再加载新的规则。