What does an empty iptables mean?
Solution 1
Empty iptables
rules simply mean you have no rules. Having no rules means the table “policy“ controls what happens to each packet traversing that table. The policy ACCEPT
on each table means that all packets are allowed through each table. Thus, you have no firewall active.
Solution 2
You don’t have any rules set up. Take a look at the following iptables
tutorial on how to add your rules.
You can add your SSH rule like so, which will allow all SSH through Port 22:
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
Solution 3
I found this question when I wondered why iptables-save came up empty. So although it's not an answer for the OP I thought I'd leave this here :)
It turns out that iptables-save needs the iptable_filter (and/or iptable_nat) modules loaded.
root@mgmt:~# iptables-save
root@mgmt:~# modprobe iptable_filter
root@mgmt:~# iptables-save
# Generated by iptables-save v1.6.0 on Fri Aug 4 09:21:14 2017
*filter
:INPUT ACCEPT [7:488]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4:424]
COMMIT
# Completed on Fri Aug 4 09:21:14 2017
This matters when you try to a 'safe' test of some new rules:
iptables-save > /tmp/ipt.good; (sleep 60; iptables-restore < /tmp/ipt.good) & iptables-restore < iptables.rules.test
Memochipan
Updated on September 18, 2022Comments
-
Memochipan over 1 year
I’m using CentOS and when type in the following
iptables
command:iptables -L -v
The output is as follows:
Chain INPUT (policy ACCEPT 19614 packets, 2312K bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 13881 packets, 32M bytes) pkts bytes target prot opt in out source destination
What does this mean? I’m able to connect using SSH. Where can I see that rule?
-
Memochipan almost 12 yearsThanks, maybe I was not clear. I'm surprising that how can I connect using SSH if I don't have any rule yet. What means empty table? Allow all connections or what?
-
user1984103 almost 12 years@Memochipan Note how the listing contains the policy: "policy ACCEPT" -> that's the default rule, which in this case, is accept all traffic. Your iptables is effectively disabled as a firewall without any rules to block traffic.
-
Giacomo1968 about 9 yearsNot to be a nit-picker to what is a fairly simple question and answer post, but can’t
policy ACCEPT
be considered a rule in and of itself? Yes, it blocks 100% of nothing and filters no traffic, but still it is a rule in the context ofiptables
operational behavior. -
Fran about 9 years@JakeGould Sure, that makes sense. Sill,
iptables
uses two distinct terms rule and policy, and I was trying to stick to the tool's terminology.