iptables -P vs :OUTPUT in /etc/sysconfig/iptables
 

In FC3, /etc/sysconfig/iptables contains the line:
:OUTPUT ACCEPT [5291031:1347453874]

This sets the policy for the OUTPUT chain, but I haven't been able to discover what the bracketed numbers do or how to make an equivalent iptables -P command.

What is the effect? What is an equivalent iptables -P command? Does the indicated range make sense for my system?

I found a way to bypass this problem: /sbin/service iptables restart

I had changed the policy to DROP, and couldn't find a way to change it back, but this command replaces the entire iptables by the original. The only trouble is that the restart operation is slow. If I knew what iptables command to issue, it would be much faster.

I believe the bracketed numbers are the packet and byte counters (in that order) for each chain when the iptables-save command is run. Checkout the iptables-save man page for more info.

The equivalent command is just:
iptables -P ACCEPT

Remember that any changes made to iptables won't show up in that file until you run the iptables-save command (or service iptables save). If you want to see the current iptables rules, run the iptables -vnL command instead. The /etc/sysconfig/iptables file is basically just where iptables-restore command gets it's config from. In fact 'service iptables restart' is just a 'macro' of sorts that runs a series of subcommands, including iptables-restore.

iptables -P: solved
 

Thanks. That makes sense. Now that I know that the numbers in brackets are not extra parameters, I can restore the original iptables quickly. I just have to issue iptables -P OUTPUT ACCEPT. This restores the iptables rules in less than a second, versus the bypass that took several minutes.

Since I only use the script to do this when I want to temporarily shut down internet access when I am doing long unattended operations like backups over my LAN, I don't need to make permanent modifications to survive the next boot.