iptables, default policy vs rules

Is there any difference in dropping not-matched packets with default policy vs -j DROP on the end?

Like:

iptables -P INPUT DROP
iptables -A INPUT --dport 80 -j ACCEPT

vs

iptables -A INPUT --dport 80 -j ACCEPT
iptables -A INPUT -j DROP

The reason why I care is because I can't create chain with log and assing it as default policy so I would need to use the second example.


Solution 1:

From a technical viewpoint, No. The packet gets dropped either way.

But Sirex is quite correct in that it can be a bit painful if you forget something important when switching table default rules.

After spending some time with IPTables, you'll likely find a preference and build your systems around that in your environment.

Solution 2:

Yes. If you use a policy of DROP, and then connect over SSH and flush the table (iptables -F), you lock yourself out as the default policy is not flushed.

I have done this on a remote system. It hurt.

(Other lesson learnt, if you want to get rid of the firewall for a while, use service iptables stop, not iptables -F + service iptables reload)

A default policy is likely more secure from being easier to manage though. You can't forget to add it to the end.