What is the default configuration file for IPTables and where it is located – Linux

It’s quite simple and but very useful thing. I have already posted the basics of IPTables in Linux, you may check this for more details >> IPTables basics <<

The iptables rules are saved in the file “/etc/sysconfig/iptables” under a Unix architecture. You can view/edit iptables rules from this file. See the sample entries:

[email protected] [~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Fri May  2 00:54:58 2014
*nat
:PREROUTING ACCEPT [1:60]
:POSTROUTING ACCEPT [7:636]
:OUTPUT ACCEPT [7:636]
COMMIT
# Completed on Fri May  2 00:54:58 2014
# Generated by iptables-save v1.4.7 on Fri May  2 00:54:58 2014
*mangle
:PREROUTING ACCEPT [890360:501351591]
:INPUT ACCEPT [890360:501351591]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [876347:125010352]
:POSTROUTING ACCEPT [847830:121738569]
COMMIT
# Completed on Fri May  2 00:54:58 2014
# Generated by iptables-save v1.4.7 on Fri May  2 00:54:58 2014
*filter
:INPUT ACCEPT [4:304]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4:496]
:acctboth - [0:0]
-A INPUT -p tcp -m tcp --dport 49152:65534 -j ACCEPT
-A INPUT -j acctboth
-A OUTPUT -j acctboth
-A acctboth -s IP.ADD.RESS/32 ! -i lo -p tcp -m tcp --dport 80
-A acctboth -d IP.ADD.RESS/32 ! -i lo -p tcp -m tcp --sport 80
-A acctboth -s IP.ADD.RESS/32 ! -i lo -p tcp -m tcp --dport 25
-A acctboth -d IP.ADD.RESS/32 ! -i lo -p tcp -m tcp --sport 25
-A acctboth ! -i lo
COMMIT
# Completed on Fri May  2 00:54:58 2014

There is one more configuration file ‘/etc/sysconfig/iptables-config‘ to control iptables init-script. You can set up a lot of things on this file. See the important directives in ‘/etc/sysconfig/iptables-config‘ file:

1, IPTABLES_MODULES

Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which are loaded after the firewall rules are applied. Options for the helpers are stored in /etc/modprobe.conf.
IPTABLES_MODULES=""

2, IPTABLES_MODULES_UNLOAD

Unload modules on restart and stop
Value: yes|no,  default: yes
This option has to be 'yes' to get to a sane state for a firewall restart or stop. Only set to 'no' if there are problems unloading netfilter modules.
IPTABLES_MODULES_UNLOAD="yes"

3, IPTABLES_SAVE_ON_STOP

Save current firewall rules on stop.
Value: yes|no,  default: no
Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped (e.g. on system shutdown).
IPTABLES_SAVE_ON_STOP="no"

4, IPTABLES_SAVE_ON_RESTART

Save current firewall rules on restart.
Value: yes|no,  default: no
Saves all firewall rules to /etc/sysconfig/iptables if firewall gets restarted.
IPTABLES_SAVE_ON_RESTART="no"

5, IPTABLES_SAVE_COUNTER

Save (and restore) rule and chain counter.
Value: yes|no,  default: no
Save counters for rules and chains to /etc/sysconfig/iptables if 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or SAVE_ON_RESTART is enabled.
IPTABLES_SAVE_COUNTER="no"

6, IPTABLES_STATUS_NUMERIC

Numeric status output
Value: yes|no,  default: yes
Print IP addresses and port numbers in numeric format in the status output.
IPTABLES_STATUS_NUMERIC="yes"

7, IPTABLES_STATUS_VERBOSE

Verbose status output
Value: yes|no,  default: yes
Print info about the number of packets and bytes plus the "input-" and "outputdevice" in the status output.
IPTABLES_STATUS_VERBOSE="no"

8, IPTABLES_STATUS_LINENUMBERS

Status output with numbered lines
Value: yes|no,  default: yes
Print a counter/number for every rule in the status output.
IPTABLES_STATUS_LINENUMBERS="yes"

9, IPTABLES_SYSCTL_LOAD_LIST

Reload sysctl settings on start and restart
Default: -none-
Space separated list of sysctl items which are to be reloaded on start. List items will be matched by fgrep.
#IPTABLES_SYSCTL_LOAD_LIST=".nf_conntrack .bridge-nf"

that’s it!

Related Links
1, What is iptables in Linux ?
2, IPTables rules for icmp
3, How to block/unblock an IP address in your Linux server
4, How to prevent DoS attack on server using IPTables or CSF

, ,

Post navigation

Arunlal Ashok

Linux Systems Architect at Endurance International Group. I know her (Linux) since many years. Linux lover. Like to play on Linux console. I started this blog to share and discuss Linux thoughts.

Always happy for an open discussion! Write to arun (@) crybit (dot) com. Check about me for more details. About this blog and our strong members, check The team CryBit.com

Leave a Reply

Your email address will not be published. Required fields are marked *