Share your knowledge at the LQ Wiki.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 04-14-2005, 04:40 PM   #1
Registered: Sep 2003
Location: California
Distribution: RH9, Fedora: FC1, FC3, Suse9.3
Posts: 54

Rep: Reputation: 15
iptables -P vs :OUTPUT in /etc/sysconfig/iptables

In FC3, /etc/sysconfig/iptables contains the line:
:OUTPUT ACCEPT [5291031:1347453874]

This sets the policy for the OUTPUT chain, but I haven't been able to discover what the bracketed numbers do or how to make an equivalent iptables -P command.

What is the effect? What is an equivalent iptables -P command? Does the indicated range make sense for my system?

I found a way to bypass this problem: /sbin/service iptables restart

I had changed the policy to DROP, and couldn't find a way to change it back, but this command replaces the entire iptables by the original. The only trouble is that the restart operation is slow. If I knew what iptables command to issue, it would be much faster.

Last edited by TomF; 04-14-2005 at 07:53 PM.
Old 04-14-2005, 08:35 PM   #2
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
I believe the bracketed numbers are the packet and byte counters (in that order) for each chain when the iptables-save command is run. Checkout the iptables-save man page for more info.

The equivalent command is just:
iptables -P ACCEPT

Remember that any changes made to iptables won't show up in that file until you run the iptables-save command (or service iptables save). If you want to see the current iptables rules, run the iptables -vnL command instead. The /etc/sysconfig/iptables file is basically just where iptables-restore command gets it's config from. In fact 'service iptables restart' is just a 'macro' of sorts that runs a series of subcommands, including iptables-restore.
Old 04-14-2005, 10:50 PM   #3
Registered: Sep 2003
Location: California
Distribution: RH9, Fedora: FC1, FC3, Suse9.3
Posts: 54

Original Poster
Rep: Reputation: 15
iptables -P: solved

Thanks. That makes sense. Now that I know that the numbers in brackets are not extra parameters, I can restore the original iptables quickly. I just have to issue iptables -P OUTPUT ACCEPT. This restores the iptables rules in less than a second, versus the bypass that took several minutes.

Since I only use the script to do this when I want to temporarily shut down internet access when I am doing long unattended operations like backups over my LAN, I don't need to make permanent modifications to survive the next boot.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables in sysconfig?? Mibble Red Hat 6 10-16-2005 09:37 PM
numbers in /etc/sysconfig/iptables sti2envy Linux - Security 1 10-06-2005 08:24 AM
etc/sysconfig/iptables file explinations Junior24 Linux - General 3 12-07-2004 01:35 PM
IPTABLES - rules in /etc/sysconfig/iptables The_JinJ Linux - Newbie 6 11-20-2004 01:40 AM
My iptables script is /etc/sysconfig/iptables. How do i make this baby execute on boo ForumKid Linux - General 3 01-22-2002 07:36 AM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:04 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration