Understanding Conflicting iptables Rules: Why Both “ACCEPT all” and “DROP all” Exist in INPUT Chain


3 views

When examining the provided iptables configuration, we notice two seemingly contradictory rules in the INPUT chain:

ACCEPT     all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere

The key to understanding this lies in how iptables processes rules sequentially:

# SSH brute force protection comes first
iptables -I INPUT -p tcp -i eth0 --dport 22 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp -i eth0 --dport 22 -m state --state NEW -m recent --update

# Then come the specific ACCEPT rules
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# ... other port rules ...

# Followed by the catch-all ACCEPT
iptables -A INPUT -j ACCEPT

# And finally the DROP rule
iptables -A INPUT -j DROP

The verbose listing (iptables -v -L) reveals the true order:

  1. SSH brute force protection rules (inserted at top with -I)
  2. RELATED/ESTABLISHED connections
  3. Loopback interface (lo) acceptance
  4. Specific port rules (HTTP, SSH, etc.)
  5. Catch-all ACCEPT rule
  6. Final DROP rule

The apparent conflict resolves because:

  • The catch-all ACCEPT rule only processes packets that haven't matched any previous rules
  • The DROP rule comes after and catches any remaining packets
  • In practice, most legitimate traffic matches earlier specific rules

To verify which ports are actually open:

# Check MySQL port
nmap -p 3306 your.server.ip

# Check Postfix ports
nmap -p 25,587 your.server.ip

# Alternative using netstat
netstat -tulnp | grep -E '25|587|3306'

A more secure approach would be:

# Replace the catch-all ACCEPT with explicit rules
iptables -A INPUT -p tcp --dport 25 -j ACCEPT   # SMTP
iptables -A INPUT -p tcp --dport 587 -j ACCEPT  # Submission
iptables -A INPUT -p tcp --dport 3306 -j ACCEPT # MySQL

# Then keep the final DROP
iptables -A INPUT -j DROP

When debugging firewall issues:

# View rules with counters
iptables -L -v -n --line-numbers

# Check packet counters for specific rules
iptables -L INPUT -v -n | grep 'ACCEPT.*anywhere.*anywhere'

# Reset counters to monitor traffic
iptables -Z

Remember that iptables processes rules in order, and the first matching rule determines the packet's fate. This explains why having both ACCEPT and DROP rules for the same traffic pattern isn't necessarily contradictory.

When examining your iptables configuration, the apparent contradiction between ACCEPT all and DROP all rules stems from how iptables processes rules sequentially. The key insight lies in understanding that:

# Rule processing flow:
1. -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
2. -A INPUT -i lo -j ACCEPT
3. Port-specific ACCEPT rules (SSH, HTTP, etc.)
4. -A INPUT -j DROP

Your concern about ports 25, 587, and 3306 is valid. These ports aren't explicitly allowed, which means:

$ telnet your.server.ip 3306
# Connection will fail because:
1. No explicit ACCEPT rule exists for port 3306
2. The general ACCEPT rule comes before DROP but doesn't match
3. Packets eventually hit the DROP rule

That mysterious ACCEPT all rule appearing in your listing is actually the implicit ACCEPT policy for the INPUT chain. The verbose output shows it's bound to the loopback interface:

25M 1524M ACCEPT     all  --  lo     any     anywhere             anywhere

For a production server, consider this more robust structure:

#!/bin/bash
iptables -F
iptables -P INPUT DROP  # Default deny policy
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Essential baseline rules
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Service-specific rules (add your needed ports)
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j ACCEPT  # SMTP
iptables -A INPUT -p tcp --dport 587 -j ACCEPT # Submission
iptables -A INPUT -p tcp --dport 3306 -j ACCEPT --src trusted-db-clients

When troubleshooting iptables:

# View rules with counters:
iptables -L -v -n

# Check specific port accessibility:
nc -zv your.server.ip 3306

Several issues stand out in the original configuration:

  • The catch-all ACCEPT rule was actually loopback-only but displayed confusingly
  • No rate limiting on sensitive ports beyond SSH
  • Missing explicit rules for required services