The INPUT and OUTPUT chain policies are set to DROP. Very few rules allowing only specific traffic between directly cable-connected devices. However, if I temporarily add a cable that goes to the router, why can I initiate outgoing connections and receive answers, like do apt update
, even though there are no rules allowing HTTP traffic in our out?
I have noticed that if I add iptables -P FORWARD DROP
then those outgoing connections don't work anymore. Why does the FORWARD chain have any impact in this?
raspberrypi:~ $ sudo iptables -nvL
Chain INPUT (policy DROP 332 packets, 244K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all
1254 79084 ACCEPT tcp
1453 2495K ACCEPT all
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 373 packets, 47731 bytes)
pkts bytes target prot opt in out source destination
1715 162K ACCEPT tcp
6 456 ACCEPT udp
952 156K ACCEPT all
Secondary question: Is there any risk in using those easy to recognize IP addresses between my internally and directly cable-connected devices? Could packets leak, because those are valid public addresses?
EDIT: adding requested info.

We are talking about the device "Raspi Client".
Output of iptables-save
:
raspberrypi:~ $ sudo iptables-save
*nat
:PREROUTING ACCEPT [529:48304]
:INPUT ACCEPT [7:420]
:POSTROUTING ACCEPT [2465:187164]
:OUTPUT ACCEPT [2804:242065]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A DOCKER -i docker0 -j RETURN
COMMIT
*filter
:INPUT DROP [607:267621]
:FORWARD ACCEPT [0:0]
:OUTPUT DROP [394:50896]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 66.66.66.5/32 -d 66.66.66.3/32 -p tcp -m tcp --dport 21385 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -s 99.99.99.3/32 -d 99.99.99.2/32 -p tcp -m tcp --dport 5656 -j ACCEPT
-A OUTPUT -s 99.99.99.3/32 -d 99.99.99.2/32 -p udp -m udp --dport 123 -j ACCEPT
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT