What is the default action for incoming packets that don't match explicit iptables rules?

networking security iptables

6,403

Solution 1

It depends on your policy, you can set to reject or accept if incoming packets don't explicity match rules (I think by default it will DROP). You can set default policy by using -P option:

# accept by default
iptables -P INPUT ACCEPT

# drop by dèault
iptables -P INPUT DROP

Solution 2

(iptables -L INPUT; iptables -L OUTPUT; iptables -L FORWARD) | grep policy
Chain INPUT (policy DROP)
Chain OUTPUT (policy ACCEPT)
Chain FORWARD (policy DROP)

iptables -P sets the policy for a chain.

man iptables:

Only built-in (non-user-defined) chains can have policies, and neither built-in nor user-defined chains can be policy targets.

The big difference from a structure perspective is: If a user defined chain reaches its end without an explicit decision then the control flow goes back to the calling chain from whose perspective the jump to the called chain was just like any other rule which either matches or doesn't.

6,403

Mike B

Updated on September 18, 2022

Comments

Mike B over 1 year

CentOS 5.x

I'd like to understand what is specifically happening to incoming packets that don't explicitly match rules in my iptables chains. Is the default action to reject them? Or drop them? How/where can I set this?

Here's an example output of my firewall setup (some ports have been modified to protect the innocent :-) ) :

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     esp  --  anywhere             anywhere
ACCEPT     ah   --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:456
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

The key point though is that I have a different chain called RH-Firewall-1-INPUT that doesn't have an explicit (policy ACCEPT) or (policy REJECT) statement. What would be the default behavior for that (assuming of course that I'm NOT matching any of the prior rules). Is the last line just a "catch all"?

Mike B about 10 years

I have another chain that doesn't explicitly have a single policy action in parenthesis. I've updated the question description. Can you please review?