iptables: change policy or use catch-all rule?

security linux firewall iptables

What do you do when setting up iptables: change the default policy (iptables -P INPUT DROP, for example) or add a catch-all rule at the end of the ruleset (iptables -A INPUT DROP)? If you do prefer one in particular, what's the rationale behind your preference?

This may be too subjective a question for this forum, but perhaps there are some good hard reasons to choose one over the other that I'm not aware of.

Against the policy way I have that it's probably easier to lock oneself out of the server due to an overly optimistic iptables -F. For it I have that it's probably easier to delete the catch-all rule without noticing it, effectively leaving the server wide open (I've had this happen to me in the past).

It's true that you shouldn't rely on the firewall as your only protection from the internet (most of the time you can make internal network services bind only to localhost or the internal network, for example) but sometimes one is forced to expose semi-public services to a specific source network, etc.

Personally I tend to prefer the first if writing a ruleset from scratch, but stick to whatever's in place already if updating an existing one.


I use both, setting the policy, and a final drop rule, because I am hardcore like that.

I have my rules defined in a script that I call and update. I never directly call iptables directly other then to occasionally list the rules/stats. I have never really seen a reason why one is better then the other.


In terms of trade-off, I would prefer to have a machine w/o a firewall for a period of time, by accident (which is the risk of having -P ALLOW if you flush your rules and forget or similar) than have a machine drop off the network by accident (which is the consequence of a flush if the policy is DROP). My reasoning is, the firewall is not the sole method of securing my servers, so the firewall malfunctioning is an error rather than a catastrophe. A service being unavailable to users most often is a catastrophe.


Here are two reasons why having a catch-all rule may be better:

  1. The default policy has limited options. If you don't want the packet to go through you have once choice: DROP (packet hits the floor). In the catch-all rule you can use REJECT which can send an ICMP response.
  2. If you have any scripts that parse the output of iptables -L, the catch-all rule appears in the same format as all the other rules, making the parsing easier.

Related

How can I permanently remove/delete a line in route with CentOS 6
Any way to convert qcow2 to ovf?
Does NTPd have to listen on an interface or address for updating the server time?
Estimating the time needed for a resize2fs shrink
Postfix : Relaying all incoming mail to another host
Can you import a SSL certificate from another Windows IIS 7 server?
Generating a lot of dirty pages is blocking synchronous writes
Other options to "balance source" in haproxy
How do I put a bridge on top of a bonded interface?
Why don't more organizations configure NAT U-turns/hairpins?
How to find out who deleted Event Viewer logs
Why can't I access Tomcat externally?