1

I was wondering what's the difference between accept and drop policy in iptables.

Here's how I think it works:

Drop policy will drop all packets except those which you make rules for. So you open port manually and other ports are closed. Accept policy will accept all packets except those which you make rules for. So all ports on which currently some services are working are open and others are closed.

I did some research and most of people advice drop policy, because it's safer. I think as long you know what services are you running there's no difference at all. Can somebody tell me if I'm wrong and explain.

sober
  • 11
  • 1

3 Answers3

1

Back in ye olde days you allowed everything and only filtered out some known 'bad stuff'. This is equivalent to using ACCEPT policy. However this way of thinking is not best practice anymore. It is very easy to miss blocking something you don't want through, and new attacks, like amplification DDOS attacks develop all the time.

As such, best practice is now to only allow specific stuff you actually need. The reasoning is that you are going to notice if something that should be allowed through is not. And by having to allow everything manually you have to think more carefully about everything. This is the equivalent of DROP policy.

mzhaase
  • 3,798
  • 2
  • 20
  • 32
0

Accept policy will accept all packets except those which you make rules for.

The correct statement would be "Accept policy will accept all packets except those which you make reject or drop rules for."

Secondly why is it safer to have a default drop policy?

Otherwise you have to create a "reject or drop" rule for anybody for whom you don't want to give access to.

For example there are two hosts X and Y which want access to your server Z on port 111. So you want to accept X and deny Y infact everyone except X. In this case you have to create two rules(If you have default ACCEPT policy):

  • if source is X on d-port 111 ACCEPT
  • if any on d-port 111 DROP

But you had default DROP policy you will have to create only one rule:

  • if source is X on d-port 111 ACCEPT

The default drop will handle everything else.

Hope this helps!

Anirudh Malhotra
  • 1,290
  • 8
  • 11
-1

There is no magic. There is a chain of rules, and the last line is ACCEPT or DROP. That is the meaning of the default policy. My opinion is not recommended to use port filtering in common cases. Run only services on external ips which you want to reach then you don't need to filter ports. that's all.

Ipor Sircer
  • 1,226
  • 7
  • 8
  • The problem is that your users and applications can start listeners on any available unprivileged port (port > 1024) which is something that as an admin you can't prevent, other than with a firewall policy. – HBruijn Oct 30 '16 at 15:02