Iptables
Why to use REJECT
instead of DROP
General
Tables
Four tables
- filter
Filtering rules
- nat
NAT rules
- mangle
Special rules that alter packet data
- raw
Rules that should function independently of the Netfilter
connection-tracking subsystem
Matches
--source (-s)
Match on a source IP address or network--destination (-d)
Match on a destination IP address or network--protocol (-p)
Match on an IP value--in-interface (-i)
Input interface--out-interface (-0)
Output interface--state
Match on a set of connection states.INVALID
,ESTABLISHED
,RELATED
--string
Match on a sequence of application layer data bytes--comment
Associate up to 256 bytes of comment data with a rule within kernel memory
Targets
ACCEPT
Packet continues on its wayDROP
Drops a packet. The receiving stack will never see this packet and won't be able to send aICMP
message, for example.LOG
Logs a packet to syslogREJECT
Drops a packet. Send an appropriate response packet. (e.g. a TCP Reset packet for a TCP connection or an ICMP Port Unreachable message for a UDP packet)RETURN
Continue processing the packet within the calling chain