What the meaning of "policy ACCEPT" and "policy DROP" in iptables?

Question

When running service iptables status on 2 CentOS server,

one server has policy ACCEPT in Chain INPUT, Chain FORWARD, and Chain OUTPUT
another server has policy DROP in Chain INPUT and Chain FORWARD; while policy ACCEPT in Chain OUTPUT

What the meaning of policy ACCEPT and policy DROP?

...and how to change from policy ACCEPT to policy DROP and from policy DROP to policy ACCEPT?

score 46 · Answer 1 · edited May 31 '22 at 19:03

46

ACCEPT means that the default policy for that chain, if there are no matching rules, is to allow the traffic.

DROP does the opposite.

The following rule will change the policy for inbound traffic to DROP:

iptables --policy INPUT DROP

The manpage for iptables should be able to give you the rest of the info you would need to make other policy changes as necessary.

edited May 31 '22 at 19:03

Alexandre Schmidt

answered Oct 11 '10 at 14:25

MDMarra

12

This may well not need saying but it is unwise to do the above on a server to which you are remotely logged in! – MadHatter Oct 11 '10 at 14:30
6

Right! Make yourself an exception for port 22 in the input chain first! – MDMarra Oct 11 '10 at 23:56
If i change input policy to accept, does it mean i have opened all ports or something, leaving my server exposed to random attacks? I am trying to fix input http connection issues(ssh works) and stumbled here while searching for why iptable says IINPUT policy is DROP – Zia Ul Rehman Mughal Jan 30 '21 at 10:59

score 9 · Answer 2 · answered Oct 11 '10 at 14:26

9

The policy defines the target for packets that get to the end of the chain.

answered Oct 11 '10 at 14:26

2 Answers2