What does an empty iptables mean?

linux centos firewall iptables

26,196

Solution 1

Empty iptables rules simply mean you have no rules. Having no rules means the table “policy“ controls what happens to each packet traversing that table. The policy ACCEPT on each table means that all packets are allowed through each table. Thus, you have no firewall active.

Solution 2

You don’t have any rules set up. Take a look at the following iptables tutorial on how to add your rules.

You can add your SSH rule like so, which will allow all SSH through Port 22:

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Solution 3

I found this question when I wondered why iptables-save came up empty. So although it's not an answer for the OP I thought I'd leave this here :)

It turns out that iptables-save needs the iptable_filter (and/or iptable_nat) modules loaded.

root@mgmt:~# iptables-save 
root@mgmt:~# modprobe iptable_filter
root@mgmt:~# iptables-save 
# Generated by iptables-save v1.6.0 on Fri Aug  4 09:21:14 2017
*filter
:INPUT ACCEPT [7:488]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4:424]
COMMIT
# Completed on Fri Aug  4 09:21:14 2017

This matters when you try to a 'safe' test of some new rules:

iptables-save > /tmp/ipt.good; (sleep 60; iptables-restore < /tmp/ipt.good) & iptables-restore < iptables.rules.test

26,196

Author by

Memochipan

Updated on September 18, 2022

Comments

Memochipan over 1 year

I’m using CentOS and when type in the following iptables command:

iptables -L -v

The output is as follows:

Chain INPUT (policy ACCEPT 19614 packets, 2312K bytes)  pkts bytes target     prot opt in     out     source               destination   

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)  pkts bytes target    prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 13881 packets, 32M bytes)  pkts bytes target     prot opt in     out     source               destination

What does this mean? I’m able to connect using SSH. Where can I see that rule?

Memochipan almost 12 years

Thanks, maybe I was not clear. I'm surprising that how can I connect using SSH if I don't have any rule yet. What means empty table? Allow all connections or what?
user1984103 almost 12 years

@Memochipan Note how the listing contains the policy: "policy ACCEPT" -> that's the default rule, which in this case, is accept all traffic. Your iptables is effectively disabled as a firewall without any rules to block traffic.
Giacomo1968 about 9 years

Not to be a nit-picker to what is a fairly simple question and answer post, but can’t policy ACCEPT be considered a rule in and of itself? Yes, it blocks 100% of nothing and filters no traffic, but still it is a rule in the context of iptables operational behavior.
Fran about 9 years

@JakeGould Sure, that makes sense. Sill, iptables uses two distinct terms rule and policy, and I was trying to stick to the tool's terminology.