The REJECT target works basically the same as the
DROP target, but it also sends back an error message to the
host sending the packet that was blocked. The REJECT target
is as of today only valid in the INPUT,
FORWARD and OUTPUT chains or
their sub chains. After all, these would be the only chains in which it would
make any sense to put this target. Note that all chains that use the
REJECT target may only be called by the
INPUT, FORWARD, and
OUTPUT chains, else they won't work. There is
currently only one option which controls the nature of how this target works,
though this may in turn take a huge set of variables. Most of them are fairly
easy to understand, if you have a basic knowledge of
TCP/IP.
This option tells the REJECT target what
response to send to the host that sent the packet that we are rejecting. Once
we get a packet that matches a rule in which we have specified this target,
our host will first of all send the associated reply, and the packet will then
be dropped dead, just as the DROP target would drop it. The
following reject types are currently valid:
icmp-net-unreachable,
icmp-host-unreachable,
icmp-port-unreachable,
icmp-proto-unreachable,
icmp-net-prohibited and
icmp-host-prohibited. The default error
message is to send a port-unreachable to the host. All of
the above are ICMP error messages and may be set as
you wish. You can find further information on their various purposes in the
appendix ICMP types. Finally,
there is one more option called
tcp-reset, which may only be used together with the
TCP protocol. The tcp-reset option
will tell REJECT to send a TCP
RST packet in reply to the sending host. TCP
RST packets are used to close open TCP
connections gracefully. For more information about the TCP
RST read RFC 793 - Transmission Control Protocol. As stated in the iptables man page, this is mainly
useful for blocking ident probes which frequently occur when sending mail to
broken mail hosts, that won't otherwise accept your mail.
