Is it recommended to drop all traffic by default in iptables and then accept only what is required?


I was told using iptables -P OUTPUT DROP and then rules such as iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT to accept what is required didn’t do much from a security standpoint. Is that true?

This is what I am been using for some time (planning on implementing some SSH brute force rules shortly):

apt update apt install -y iptables-persistent iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT iptables -A OUTPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -P FORWARD DROP iptables -P INPUT DROP iptables -P OUTPUT DROP iptables-save > /etc/iptables/rules.v4