iptables, default policy vs rules

linux iptables

Is there any difference in dropping not-matched packets with default policy vs -j DROP on the end?

Like:

iptables -P INPUT DROP
iptables -A INPUT --dport 80 -j ACCEPT

vs

iptables -A INPUT --dport 80 -j ACCEPT
iptables -A INPUT -j DROP

The reason why I care is because I can't create chain with log and assing it as default policy so I would need to use the second example.


Solution 1:

From a technical viewpoint, No. The packet gets dropped either way.

But Sirex is quite correct in that it can be a bit painful if you forget something important when switching table default rules.

After spending some time with IPTables, you'll likely find a preference and build your systems around that in your environment.

Solution 2:

Yes. If you use a policy of DROP, and then connect over SSH and flush the table (iptables -F), you lock yourself out as the default policy is not flushed.

I have done this on a remote system. It hurt.

(Other lesson learnt, if you want to get rid of the firewall for a while, use service iptables stop, not iptables -F + service iptables reload)

A default policy is likely more secure from being easier to manage though. You can't forget to add it to the end.

Related

Vagrant shared folder and file change events
Linux: How to pass parameters to `service foo start` (at command line)?
Running systemd inside a docker container (arch linux)
How to determine if google public stun server is alive or usable? [closed]
How to reset a Harddisk (delete Mbr & delete Partitions) from the Command Line with a script without rebooting?
Find out which DNS server answered your query
HTTP Compression on IIS 6.0 (Windows Server 2003)
How do you document windows server configurations?
What are the correct permissions for /etc/init.d/ scripts?
Exclude only some files with the same name when copying using robocopy
Web based KVM management for Ubuntu
How do I make a wildcard package search using apt-get?