Linux IPTables: Incoming and Outgoing Rule Examples (SSH and HTTP)
In our previous IPTables firewall series article, we reviewed how to add firewall rule using “iptables -A”.
We also explained how to allow incoming SSH connection. On a high-level, it involves following 3 steps.
1. Delete all existing rules: “iptables -F”
2. Allow only incoming SSH: “iptables -A INPUT -i eth0 -p tcp –dport 22 -j ACCEPT”
3. Drop all other incoming packets: “iptables -A INPUT -j DROP”
The above works. But it is not complete. One problem with the above steps is that it doesn’t restrict the outgoing packets.
Default Chain Policy
The default policy of a chain is ACCEPT. If you don’t what what a chain means, you better read our iptables introduction article. So, both the INPUT and OUTPUT chain’s default policy is ACCEPT. In the above 3 steps we dropped all incoming packets at the end (except incoming ssh). However, we didn’t restrict the outgoing traffic.
As you notice below, it says “(policy ACCEPT)” next to all the three chain names (INPUT, OUTPUT, and FORWARD). This indicates that the default chain policy is ACCEPT.
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
DROP all -- anywhere anywhere