The DROP target does just what it says, it drops packets
dead and will not carry out any further processing. A packet that matches a
rule perfectly and is then Dropped will be blocked. Note that this action
might in certain cases have an unwanted effect, since it could leave dead
sockets around on either host. A better solution in cases where this is likely
would be to use the REJECT target, especially when you want
to block port scanners from getting too much information, such as on filtered
ports and so on. Also note that if a packet has the DROP
action taken on it in a subchain, the packet will not be processed in any of
the main chains either in the present or in any other table. The packet is in
other words totally dead. As we've seen previously, the target will not send
any kind of information in either direction, nor to intermediaries such as
routers.
 | Works under Linux kernel 2.3, 2.4, 2.5 and 2.6.
|
