iptables: employ DROP or REJECT rules in non-'filters' tables, namely the NAT table?

Question

For an iptables(8) firewall that is otherwise "properly locked down" in the filter table, is there any use to employ DROP, REJECT or similar, terminating, "blocking or disabling" rules in non-filters tables, namely the NAT table (or the mangle, raw, or security tables for that matter)?

We specifically want to close any, potential "holes" in our firewall.

NAT's POSTROUTING chain does not accept a DROP or REJECT target on at least one of out team's systems:

$ iptables -t nat -P POSTROUTING DROP
iptables v1.6.1:
The "nat" table is not intended for filtering, the use of DROP is therefore inhibited.


Try `iptables -h' or 'iptables --help' for more information.
$
$ iptables -t nat -P POSTROUTING REJECT
iptables: Bad policy name. Run `dmesg' for more information.
$
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 18.04.4 LTS
Release:    18.04
Codename:   bionic
$

I cross-posted to reddit: https://www.reddit.com/r/linuxadmin/comments/gqjtfq/iptables_employ_drop_or_reject_rules_in/ — Johnny Utahh, May 25 '20 at 21:33

score 0 · Accepted Answer · answered May 26 '20 at 16:40

0

Short answer: no.

Excerpt from reddit:

"Packets can't skip the filter table, so dropping packets from an additional table doesn't buy you any additional security [...]"

answered May 26 '20 at 16:40

Johnny Utahh

207
3
11

iptables: employ DROP or REJECT rules in non-'filters' tables, namely the NAT table?

1 Answers1