Simplifing IPTABLES rule set

Support for security such as Firewalls and securing linux
User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Simplifing IPTABLES rule set

Post by jlehtone » 2022/04/05 06:56:14

Both DROP and REJECT do drop the incoming packet. The difference is that REJECT sends a reply that explains why it did drop.

The --reject-with icmp-host-prohibited specifies what reply the REJECT sends. In this case it sends an ICMP packet of type "this host does not want to talk with you". The reject-with is not part of the "match rule", it is part of the "(re)action".

When you try to create a connection, you send a packet and then wait until you receive a reply -- or reach time-out. If you quickly receive a reply that connection cannot be created, then you don't have to wait long. The REJECT is polite and you surely want to be polite to friends?

Post Reply