I am currently trying to learn how iptables works. I have read the following:
When a packet arrives (or leaves, depending on the chain), iptables matches it against rules in these chains one-by-one. When it finds a match, it jumps onto the target and performs the action associated with it. If it doesn’t find a match with any of the rules, it simply does what the default policy of the chain tells it to. The default policy is also a target. 1
I have now set up my INPUT chain on the filter table like this:
$ iptables -S INPUT
-P INPUT ACCEPT
-A INPUT -i wg0 -j ACCEPT
Pinging the machine (10.0.0.1) from another machine (10.0.0.2) using the wg0 interface now works.
Using iptables -S INPUT -v, I can also see that the rule matches since the packet and bytes counters are increasing.
Adding a log target with iptables -I INPUT -i wg0 -j LOG --log-prefix "INPUT-wg0: " further confirms this. I can now see the packets using dmesg -w.
However, when I now set the default policy to DROP, no packets are logged anymore and pinging is no longer possible:
$ iptables -S INPUT
-P INPUT DROP
-A INPUT -i wg0 -j LOG --log-prefix "INPUT-wg0: "
-A INPUT -i wg0 -j ACCEPT
I don't understand this. I thought the target of the first matching rule will be used? (The LOG target seems to be an exception)
The rules matched before and thus should still match even after the default policy was changed, right?
I would be very happy if someone could explain this link's behavior to me.
Output of iptables-save while pinging works:
# Generated by iptables-save v1.8.8 on Fri Dec 23 06:18:42 2022
*mangle
:PREROUTING ACCEPT [31842:2917695]
:INPUT ACCEPT [28740:2664375]
:FORWARD ACCEPT [3102:253320]
:OUTPUT ACCEPT [23607:5802958]
:POSTROUTING ACCEPT [26366:6035482]
COMMIT
# Completed on Fri Dec 23 06:18:42 2022
# Generated by iptables-save v1.8.8 on Fri Dec 23 06:18:42 2022
*raw
:PREROUTING ACCEPT [217327:66651913]
:OUTPUT ACCEPT [102949:46884985]
COMMIT
# Completed on Fri Dec 23 06:18:42 2022
# Generated by iptables-save v1.8.8 on Fri Dec 23 06:18:42 2022
*nat
:PREROUTING ACCEPT [115:6688]
:INPUT ACCEPT [49:2632]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [62:3720]
-A POSTROUTING -s 10.0.0.0/24 -o wg0 -j MASQUERADE
COMMIT
# Completed on Fri Dec 23 06:18:42 2022
# Generated by iptables-save v1.8.8 on Fri Dec 23 06:18:42 2022
*filter
:INPUT ACCEPT [974:119665]
:FORWARD ACCEPT [474:28440]
:OUTPUT ACCEPT [558:81105]
-A INPUT -i wg0 -j ACCEPT
-A FORWARD -i wg0 -o wg0 -j ACCEPT
COMMIT
# Completed on Fri Dec 23 06:18:42 2022
Output of iptables-save after changing default policy of INPUT chain to DROP and pinging no longer works:
# Generated by iptables-save v1.8.8 on Fri Dec 23 06:22:19 2022
*mangle
:PREROUTING ACCEPT [32468:2982249]
:INPUT ACCEPT [29284:2723905]
:FORWARD ACCEPT [3184:258344]
:OUTPUT ACCEPT [23854:5839963]
:POSTROUTING ACCEPT [26695:6077511]
COMMIT
# Completed on Fri Dec 23 06:22:19 2022
# Generated by iptables-save v1.8.8 on Fri Dec 23 06:22:19 2022
*raw
:PREROUTING ACCEPT [217953:66716467]
:OUTPUT ACCEPT [103193:46921614]
COMMIT
# Completed on Fri Dec 23 06:22:19 2022
# Generated by iptables-save v1.8.8 on Fri Dec 23 06:22:19 2022
*nat
:PREROUTING ACCEPT [165:9268]
:INPUT ACCEPT [73:3868]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [71:4260]
-A POSTROUTING -s 10.0.0.0/24 -o wg0 -j MASQUERADE
COMMIT
# Completed on Fri Dec 23 06:22:19 2022
# Generated by iptables-save v1.8.8 on Fri Dec 23 06:22:19 2022
*filter
:INPUT DROP [205:26532]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [26:9060]
-A INPUT -i wg0 -j ACCEPT
-A FORWARD -i wg0 -o wg0 -j ACCEPT
COMMIT
# Completed on Fri Dec 23 06:22:19 2022
(There are some additional rules related to my Wireguard VPN setup here which I didn't mention but they didn't seem to be relevant for my default policy question)
