iptables REJECT vs DROP
- Blog
- 1 Kommentare
If you are using iptables and wondering whether to use REJECT or DROP, my recommendation is to always use DROP.
In general, use REJECT if you want the other side to know that the port is unreachable, and DROP for connections to hosts you don't want to see.
Normally, all rules for connections within your LAN should use REJECT. For the Internet, except for identification on certain servers, connections from the Internet are normally DROPPED.
Using DROP makes the connection look like it is going to an unoccupied IP address. Scanners may choose not to continue scanning addresses that appear unoccupied. Because NAT can be used to redirect a connection at the firewall, the presence of a known service does not necessarily mean that there is a server at an address.
Ident should be allowed through or rejected at any address that provides an SMTP service. However, the use of ident look-ups by SMTP services is no longer common. There are chat protocols that also rely on a working ident service.
If you use DROP rules:
- UDP packets are dropped, and the behavior is the same as when connecting to an unbranded port without service.
- TCP packets return an ACK/RST, which is the same response that an open port without service receives. Some routers respond with an ACK/RST on behalf of servers that are unreachable.
When using REJECT rules, an ICMP packet is sent indicating that the port is not available.
