Policies and rules perform two distinct functions:
Policies represent the default behavior of your iptables firewall. They tell iptables what to do if no rule deals with a particular packet. There are three possible policies you can set: ACCEPT, REJECT or DROP. Respectively, these either tell iptables to accept the packet, reject the packet and return an error message, or drop the packet without sending an error message. Policies are applied only to the three default chains in iptables: INPUT, OUTPUT, and FORWARD. An example of the policy in action is if you have a packet that wants to be forwarded through your host. Netfilter checks and finds that no rule in your firewall matches that packet. Hence the firewall's response will be based on how its policy is configured. If you have set the default policy of the FORWARD chain to ACCEPT then the firewall will forward the packet on. If you set the policy to DROP then the packet will be dropped. The best default policy setting for your firewall is DROP -- you should only allow packets in, out and forwarded through your host if you explicitly grant that access.
Rules represent the individual rules that you can tailor to respond to different packets. They are far more granular than policies. Each rule has a series of criteria specified that match it to a particular type of packet, for example, only TCP packets incoming to port 80 from a particular interface. The rule also has an associated action that determines what the firewall should do with the packet if it matches the criteria of the rule. There are a number of potential actions and the Netfilter firewall can be very flexible about how it responds to traffic.
This was first published in August 2005