REJECT vs DROP when using iptables

As a general rule, use REJECT when you want the other end to know the port is unreachable’ use DROP for connections to hosts you don’t want people to see.

Usually, all rules for connections inside your LAN should use REJECT. For the Internet, With the exception of ident on certain servers, connections from the Internet are usually DROPPED.

Using DROP makes the connection appear to be to an unoccupied IP address. Scanners may choose not to continue scanning addresses which appear unoccupied. Given that NAT can be used to redirect a connection on the firewall, the existence of a well known service does not necessarily indicate the existence of a server on an address.

Ident should be passed or rejected on any address providing SMTP service. However, use of Ident look-ups by SMTP serves has fallen out of use. There are chat protocols which also rely on a working ident service.

EDIT: When using DROP rules:
– UDP packets will be dropped and the behavior will be the same as connecting to an unfirewalled port with no service.
– TCP packets will return an ACK/RST which is the same response that an open port with no service on it will respond with. Some routers will respond with and ACK/RST on behalf of servers which are down.

When using REJECT rules an ICMP packet is sent indicating the port is unavailable.

Related Posts:

  1. Is it normal to get hundreds of break-in attempts per day?
  2. best way to clear all iptables rules
  3. Explanation of polkitd Unregistered Authentication Agent
  4. WordPress sites being filled with random PHP files
  5. What permissions should my website files/folders have on a Linux webserver?
  6. How to handle security updates within Docker containers?
  7. How can I port forward with iptables?
  8. How to check if an RSA public / private key pair match
  9. “POSSIBLE BREAK-IN ATTEMPT!” in /var/log/secure — what does this mean?
  10. Tips for Securing a LAMP Server
  11. How to add a security group to a running EC2 Instance?
  12. How to do the port forwarding from one ip to another ip in same network?
  13. SSH from A through B to C, using private key on B [closed]
  14. Heartbleed: how to reliably and portably check the OpenSSL version?
  15. What is the difference between /sbin/nologin and /bin/false?
  16. What’s a .sh file?
  17. How to fix ‘sudo: no tty present and no askpass program specified’ error?
  18. How do I grep recursively?
  19. What does pss mean in /proc/pid/smaps
  20. apt-get error: Sub-process /usr/bin/dpkg returned an error code (1)
  21. How do I grep recursively?
  22. how to find libstdc++.so.6: that contain GLIBCXX_3.4.19 for RHEL 6?
  23. How to extract C source code from .so file?
  24. subprocess.Popen(): OSError: [Errno 8] Exec format error in python?
  25. How to substitute shell variables in complex text files
  26. How can I recursively find all files in current and subfolders based on wildcard matching?
  27. Curl command for https ( SSL )
  28. “sed” command in bash
  29. How to exclude a directory in find . command
  30. How can I find all *.js file in directory recursively in Linux?
  31. Argument list too long error for rm, cp, mv commands
  32. Difference between using “chmod a+x” and “chmod 755”
  33. ssh: Could not resolve hostname [hostname]: nodename nor servname provided, or not known
  34. WSL – GEDIT Unable to init server: Could not connect: Connection refused
  35. Python subprocess.Popen “OSError: [Errno 12] Cannot allocate memory”
  36. Install tkinter for Python
  37. How to open some ports on Ubuntu?
  38. Given two directory trees, how can I find out which files differ by content?
  39. What does it mean to mount a file system in linux?
  40. curl: (6) Could not resolve host: google.com; Name or service not known
  41. How to pass password to scp?
  42. -bash: fork: Cannot allocate memory
  43. CentOS error – sudo: effective uid is not 0, is sudo installed setuid root?
  44. Merge / convert multiple PDF files into one PDF
  45. scp from Linux to Windows
  46. Bash script: bad interpreter
  47. PHP and mod_fcgid: ap_pass_brigade failed in handle_request_ipc function
  48. How to grep and replace
  49. node.js: cannot find module ‘request’
  50. What does “&” at the end of a linux command mean?
  51. How to recursively download a folder via FTP on Linux
  52. error : storage class specified for parameter
  53. httpd: Could not reliably determine the server’s fully qualified domain name, using 127.0.0.1 for ServerName
  54. How do I write stderr to a file while using “tee” with a pipe?
  55. How to include file in a bash shell script
  56. Does Mac OS X use Linux?
  57. bash sh – command not found 
  58. Hosting multiple WordPress sites on single server – best practices?
  59. security+best practices: root or www-data on a wordpress content folder?
  60. SELinux security vs WordPress updates
  61. WordPress Update – This is usually due to inconsistent file permissions.: wp-admin/includes/update-core.php
  62. Folder Permissions + Security Concerns
  63. Why is my crontab not working, and how can I troubleshoot it?
  64. Can I automatically add a new host to known_hosts?
  65. Why is “chmod -R 777 /” destructive?
  66. How can I run Debian stable but install some packages from testing?
  67. Environment variables of a running process on Unix?
  68. How to check if a library is installed?
  69. Meaning of the buffers/cache line in the output of free
  70. How to cd into a directory with this name “-2” (starting with the hyphen)?
  71. how to disable SSH login with password for some users?
  72. How do I prevent accidental rm -rf /*?
  73. Is it possible to detach a process from its terminal? (Or, “I should have used screen!”) [duplicate]
  74. What does Virtual memory size in top mean?
  75. What’s the best way to check if a volume is mounted in a Bash script?
  76. How do I find the UUID of a filesystem
  77. Find out symbolic link target via command line
  78. Meaning of directories on Unix and Unix like systems
  79. Why do we use a OS Base Image with Docker if containers have no Guest OS?
  80. Is it possible to make Nginx listen to different ports?
  81. Linux command line best practices and tips?
  82. How to run command as user who has /usr/sbin/nologin as Shell?
  83. Why should I firewall servers?
  84. How to get pid of just started process
  85. How to disable everything in crontab -l?
  86. df says disk is full, but it is not
  87. Perform rsync while following sym links
  88. What is the maximum port number?
  89. Show all users and their groups/vice versa
  90. Why is TCP accept() performance so bad under Xen?
  91. Caching/preloading files on Linux into RAM
  92. How to sort ps output by process start time?
  93. What’s wrong with always being root?
  94. Is there a proper way to clear logs?
  95. Hundreds of failed ssh logins
  96. Transfer 15TB of tiny files
  97. What should I do when I got the KEYEXPIRED error message after an apt-get update?
  98. protocol version mismatch — is your shell clean?
  99. How do I join two named pipes into single input stream in linux
  100. How should an IT department choose a standard Linux distribution?

Leave a Comment