ACCEPT statements in policy DROP

Question

I'm trying to set up some rules using IPtables under Debian (Wheezy) and have been running in to some problems i think.

The policy of INPUT is set to DROP. Does this drop everything based on the rules I put into INPUT or is it like a standard ACL-list in some routers, meaning that everything not matched by the statements (if they are set with ACCEPT) will result in a DROP?

Take this as an example:

Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpts:ftp-data:ftp

Will these ftp-packets drop or will they be accepted and everything else will drop?

I hope I'm not messing it up to much.

score 5 · Accepted Answer · answered Dec 26 '14 at 16:18

5

"meaning that everything not matched by the statements (if they are set with ACCEPT) will result in a DROP?" - correct. It's a default.

answered Dec 26 '14 at 16:18

Peter

1,450
2
17
27

score 0 · Answer 2 · answered Jan 10 '15 at 20:21

From man iptables:

-j, --jump target
 This specifies the target of the rule; i.e., what to do
 if the packet matches it. The target can be...one of the
 special builtin targets which decide the fate of the
 packet immediately

and

ACCEPT means to let the packet through.

Logging always helps for understanding the flow. Try: iptables -A INPUT -j LOG.

If you're particularly trying to set up FTP, have a look at --state RELATED.

ACCEPT statements in policy DROP

2 Answers2