A Simple Question

Jan Engelhardt jengelh at linux01.gwdg.de
Thu Aug 11 07:54:56 CEST 2005

>iptables -P INPUT DROP
>iptables -P FORWARD DROP
>iptables -P INPUT ACCEPT
>...(other stuff here)...
>iptables -A INPUT -j DROP
>iptables -A FORWARD -j DROP
>Which is preferred for security and why?

Both equally work well. It's just a matter from which side you tackle the 
problem. Compare with 3d-engine editing:

A Quake2 map starts with "air" and you got to add walls -
  that's like -P ACCEPT and -j REJECT/DROP

An Unreal map starts with "everything filled" and you got to subtract rooms -
  like -P DROP and -j ACCEPT

In fact, sometimes it is wise to alternate between the two methods within the 
same table. I've got this in some ruleset:

-p tcp -m multiport --dport someservices -j ACCEPT
(denying all other traffic)

-o $internal -j DROP
(allowing all other interfaces)

Just like Apache's "Order allow,deny" if you need another inspiration for 

Jan Engelhardt
| Alphagate Systems, http://alphagate.hopto.org/

More information about the netfilter mailing list