iptables: change policy or use catch-all rule?
What do you do when setting up iptables: change the default policy (iptables -P INPUT DROP
, for example) or add a catch-all rule at the end of the ruleset (iptables -A INPUT DROP
)? If you do prefer one in particular, what's the rationale behind your preference?
This may be too subjective a question for this forum, but perhaps there are some good hard reasons to choose one over the other that I'm not aware of.
Against the policy way I have that it's probably easier to lock oneself out of the server due to an overly optimistic iptables -F
. For it I have that it's probably easier to delete the catch-all rule without noticing it, effectively leaving the server wide open (I've had this happen to me in the past).
It's true that you shouldn't rely on the firewall as your only protection from the internet (most of the time you can make internal network services bind only to localhost or the internal network, for example) but sometimes one is forced to expose semi-public services to a specific source network, etc.
Personally I tend to prefer the first if writing a ruleset from scratch, but stick to whatever's in place already if updating an existing one.
I use both, setting the policy, and a final drop rule, because I am hardcore like that.
I have my rules defined in a script that I call and update. I never directly call iptables directly other then to occasionally list the rules/stats. I have never really seen a reason why one is better then the other.
In terms of trade-off, I would prefer to have a machine w/o a firewall for a period of time, by accident (which is the risk of having -P ALLOW if you flush your rules and forget or similar) than have a machine drop off the network by accident (which is the consequence of a flush if the policy is DROP). My reasoning is, the firewall is not the sole method of securing my servers, so the firewall malfunctioning is an error rather than a catastrophe. A service being unavailable to users most often is a catastrophe.
Here are two reasons why having a catch-all rule may be better:
- The default policy has limited options. If you don't want the packet to go through you have once choice: DROP (packet hits the floor). In the catch-all rule you can use REJECT which can send an ICMP response.
- If you have any scripts that parse the output of iptables -L, the catch-all rule appears in the same format as all the other rules, making the parsing easier.