iptables, default policy vs rules
Is there any difference in dropping not-matched packets with default policy vs -j DROP
on the end?
Like:
iptables -P INPUT DROP
iptables -A INPUT --dport 80 -j ACCEPT
vs
iptables -A INPUT --dport 80 -j ACCEPT
iptables -A INPUT -j DROP
The reason why I care is because I can't create chain with log and assing it as default policy so I would need to use the second example.
Solution 1:
From a technical viewpoint, No. The packet gets dropped either way.
But Sirex is quite correct in that it can be a bit painful if you forget something important when switching table default rules.
After spending some time with IPTables, you'll likely find a preference and build your systems around that in your environment.
Solution 2:
Yes. If you use a policy of DROP, and then connect over SSH and flush the table (iptables -F
), you lock yourself out as the default policy is not flushed.
I have done this on a remote system. It hurt.
(Other lesson learnt, if you want to get rid of the firewall for a while, use service iptables stop
, not iptables
-F + service iptables reload
)
A default policy is likely more secure from being easier to manage though. You can't forget to add it to the end.