Chapter 13. Firewalls and


iptables


175


  log prefix


  Places a string before the log line when it is written. Accepts up to 29


characters after the


  log prefix


option. This is useful for writing syslog filters for use in


conjunction with packet logging.


  log tcp options


  Any options set in the header of a TCP packet is logged


  log tcp sequence


  Writes the TCP sequence number for the packet in the log.


  REJECT


  Sends an error packet back to the system which sent the packet, and then drops the


packet. This target is useful if you would like to notify the system sending the matching packet of


the problem.


The


REJECT


target accepts a


  reject with


type


option which allows more detailed infor 


r


s


mation to be sent with the error packet. The message


port unreachable


is the default


type


r


s


error given if no other option is used. For a full list of


type


options that can be used, see the


r


s


iptables


man page.


Other target extensions, including several that are useful with masquerading using the


nat


table or


with packet alteration using the


mangle


table, can be found in the


iptables


man page.


13.3.7. Listing Options


The default list command,


iptables  L


, provides a very basic overview of the default filter table's


current chains. Additional options provide more information and arrange that information in specific


ways:


   v


  Display verbose output, such as the number of packets and bytes each chain has seen, the


number of packets and bytes each rule has matched, and which interfaces apply to a particular rule.


   x


  Expands numbers into their exact values. On a busy system, the number of packets and


bytes seen by a particular chain or rule may be abbreviated using


K


(thousands),


M


(millions), and


G


(billions) at the end of the number. This option forces the full number to be displayed.


   n


  Displays IP addresses and port numbers in numeric format, rather than the default hostname


and network service format.


    line numbers


  Lists rules in each chain next to their numeric order in the chain. This option


is useful when attempting to delete a specific rule in a chain, or to locate where to insert a rule


within a chain.


13.4. Storing


iptables


Information


Rules created with the


iptables


command are stored in RAM only. If you restart your system after


setting up


iptables


rules, they will be lost. So in order for netfilter rules to persist through system


reboot, you need to save them to the


/etc/sysconfig/iptables


file.


To do this, type the


/sbin/service iptables save


command as the root user. This causes the


iptables


init script to run the


/sbin/iptables save


program and write the current


iptables


configuration to the


/etc/sysconfig/iptables


file. This file should only be readable by root, so


your packet filtering rules are not viewable by average users.


The next time the system boots, the


iptables


init script will reapply the rules saved in


/etc/sysconfig/iptables


by using the


/sbin/iptables restore


command.


While it is always a good idea to test a new


iptables


rule before committing it to the


/etc/sysconfig/iptables


file, it is possible to copy


iptables


rules into this file from another








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      tomcat hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Jsp Hosting
Cheap Hosting



Visionwebhosting.net Business web hosting division of Web 
Design Plus. All rights reserved