Iptables

Why to use REJECT instead of DROP

General

Tables

Four tables - filter Filtering rules - nat NAT rules - mangle Special rules that alter packet data - raw Rules that should function independently of the Netfilter connection-tracking subsystem

Matches

  • --source (-s) Match on a source IP address or network
  • --destination (-d) Match on a destination IP address or network
  • --protocol (-p) Match on an IP value
  • --in-interface (-i) Input interface
  • --out-interface (-0) Output interface
  • --state Match on a set of connection states. INVALID, ESTABLISHED, RELATED
  • --string Match on a sequence of application layer data bytes
  • --comment Associate up to 256 bytes of comment data with a rule within kernel memory

Targets

  • ACCEPT Packet continues on its way
  • DROP Drops a packet. The receiving stack will never see this packet and won't be able to send a ICMP message, for example.
  • LOG Logs a packet to syslog
  • REJECT Drops a packet. Send an appropriate response packet. (e.g. a TCP Reset packet for a TCP connection or an ICMP Port Unreachable message for a UDP packet)
  • RETURN Continue processing the packet within the calling chain