I was wondering, if was adviseable to set the default policy for tables nat and mangle to DROP.
I don't know if it is advisable or not but it is entirely possible. Just as you explicitly allow traffic in through your filter chains via matching rules you will have to explicitly allow traffic in through your nat / mangle chains respectively too. I've done this in the past and found it somewhat overkill but effective. I don't think traffic in the mangle / nat tables reaches up to the standard TCP/IP, UDP/IP stack for your daemons to accept or drop as in port not advisable if you try to connect to an unknown / not listening service. If you had someone hammering away at a port on your system you could very easily add a rule in either nat:PREROUTING or the respective mangle chains. I do know that when you start firewalling in the nat and mangle table things get a lot more complicated as traffic will pass through one or more chains before it even reaches the filter table (this is especially true with the mangle table) and thus more complicated. I can't give you a reason to not do this, other than possibly excessive complexity.
So do i need to need to go the extra mile and set the default policy for tables nat and mangle to DROP.
I don't think I would do it again unless I was excessively paranoid.
Grant. . . .
