iptables -P vs :OUTPUT in /etc/sysconfig/iptables
In FC3, /etc/sysconfig/iptables contains the line:
:OUTPUT ACCEPT [5291031:1347453874] This sets the policy for the OUTPUT chain, but I haven't been able to discover what the bracketed numbers do or how to make an equivalent iptables -P command. What is the effect? What is an equivalent iptables -P command? Does the indicated range make sense for my system? I found a way to bypass this problem: /sbin/service iptables restart I had changed the policy to DROP, and couldn't find a way to change it back, but this command replaces the entire iptables by the original. The only trouble is that the restart operation is slow. If I knew what iptables command to issue, it would be much faster. |
I believe the bracketed numbers are the packet and byte counters (in that order) for each chain when the iptables-save command is run. Checkout the iptables-save man page for more info.
The equivalent command is just: iptables -P ACCEPT Remember that any changes made to iptables won't show up in that file until you run the iptables-save command (or service iptables save). If you want to see the current iptables rules, run the iptables -vnL command instead. The /etc/sysconfig/iptables file is basically just where iptables-restore command gets it's config from. In fact 'service iptables restart' is just a 'macro' of sorts that runs a series of subcommands, including iptables-restore. |
iptables -P: solved
Thanks. That makes sense. Now that I know that the numbers in brackets are not extra parameters, I can restore the original iptables quickly. I just have to issue iptables -P OUTPUT ACCEPT. This restores the iptables rules in less than a second, versus the bypass that took several minutes.
Since I only use the script to do this when I want to temporarily shut down internet access when I am doing long unattended operations like backups over my LAN, I don't need to make permanent modifications to survive the next boot. |
All times are GMT -5. The time now is 11:08 PM. |