What does an empty iptables mean?

I’m using CentOS and when type in the following iptables command:

iptables -L -v

The output is as follows:

Chain INPUT (policy ACCEPT 19614 packets, 2312K bytes)  pkts bytes target     prot opt in     out     source               destination   

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)  pkts bytes target    prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 13881 packets, 32M bytes)  pkts bytes target     prot opt in     out     source               destination

What does this mean? I’m able to connect using SSH. Where can I see that rule?

Memochipan

Posted 2012-06-14T21:40:25.307

Reputation: 273

Answers

Empty iptables rules simply mean you have no rules. Having no rules means the table “policy“ controls what happens to each packet traversing that table. The policy ACCEPT on each table means that all packets are allowed through each table. Thus, you have no firewall active.

Fran

Posted 2012-06-14T21:40:25.307

Reputation: 4 774

Not to be a nit-picker to what is a fairly simple question and answer post, but can’t policy ACCEPT be considered a rule in and of itself? Yes, it blocks 100% of nothing and filters no traffic, but still it is a rule in the context of iptables operational behavior. – JakeGould – 2015-04-07T06:17:58.870

1@JakeGould Sure, that makes sense. Sill, iptables uses two distinct terms rule and policy, and I was trying to stick to the tool's terminology. – Fran – 2015-04-25T18:30:21.940

You don’t have any rules set up. Take a look at the following iptables tutorial on how to add your rules.

You can add your SSH rule like so, which will allow all SSH through Port 22:

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Paul

Posted 2012-06-14T21:40:25.307

Reputation: 4 434

2@Memochipan Yes this is an old thread, but the simple analogy is that you have a door with a lock on it, but nobody is locking the door. So if iptables is installed you have the potential to setup rules. But if there are no rules, there is no nothing, the door is not locked and everyone can walk right through it. – JakeGould – 2015-04-07T06:20:17.367

Thanks, maybe I was not clear. I'm surprising that how can I connect using SSH if I don't have any rule yet. What means empty table? Allow all connections or what? – Memochipan – 2012-06-15T03:48:07.587

@Memochipan Note how the listing contains the policy: "policy ACCEPT" -> that's the default rule, which in this case, is accept all traffic. Your iptables is effectively disabled as a firewall without any rules to block traffic. – Darth Android – 2012-06-15T15:27:04.640

I found this question when I wondered why iptables-save came up empty. So although it's not an answer for the OP I thought I'd leave this here :)

It turns out that iptables-save needs the iptable_filter (and/or iptable_nat) modules loaded.

root@mgmt:~# iptables-save 
root@mgmt:~# modprobe iptable_filter
root@mgmt:~# iptables-save 
# Generated by iptables-save v1.6.0 on Fri Aug  4 09:21:14 2017
*filter
:INPUT ACCEPT [7:488]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4:424]
COMMIT
# Completed on Fri Aug  4 09:21:14 2017

This matters when you try to a 'safe' test of some new rules:

iptables-save > /tmp/ipt.good; (sleep 60; iptables-restore < /tmp/ipt.good) & iptables-restore < iptables.rules.test

lbt

Posted 2012-06-14T21:40:25.307

Reputation: 101