Originally Posted by
aboka
so could u elaborate more on '...makes it harder to add another ACCEPT clause on the fly'?
If you were to run a command like
Code:
/sbin/iptables -A INPUT ...
after those other rules are in place, that command will fail because the "-A INPUT -j DROP" command will precede it. Without that directive, any additional ACCEPT statements will simply be treated as exceptions to the overall INPUT policy.
You can get around this limitation in some cases by using "-I INPUT" to put the added rule at the top of the chain. That might not be the correct place for it though.
As for forwarding, first off, Ubuntu like most modern distributions blocks the forwarding of packets between interfaces. Without a change to the file /etc/sysctl.conf, the default forwarding policy is thus DENY. If you enable packet forwarding in sysctl.conf, then you would need FORWARD rules to control which packets can be passed between interfaces.
I usually set the default OUTPUT policy to ACCEPT unless there's some specific reason not to. Those cases are rare.