Skip to main content

iptables REJECT vs DROP

  • Blog
  • 1 Kommentare

If you are using iptables and wondering whether to use REJECT or DROP, my recommendation is to always use DROP.

In general, use REJECT if you want the other side to know that the port is unreachable, and DROP for connections to hosts you don't want to see.

Normally, all rules for connections within your LAN should use REJECT. For the Internet, except for identification on certain servers, connections from the Internet are normally DROPPED.

Using DROP makes the connection look like it is going to an unoccupied IP address. Scanners may choose not to continue scanning addresses that appear unoccupied. Because NAT can be used to redirect a connection at the firewall, the presence of a known service does not necessarily mean that there is a server at an address.

Ident should be allowed through or rejected at any address that provides an SMTP service. However, the use of ident look-ups by SMTP services is no longer common. There are chat protocols that also rely on a working ident service.

If you use DROP rules:

  • UDP packets are dropped, and the behavior is the same as when connecting to an unbranded port without service.
  • TCP packets return an ACK/RST, which is the same response that an open port without service receives. Some routers respond with an ACK/RST on behalf of servers that are unreachable.

When using REJECT rules, an ICMP packet is sent indicating that the port is not available.

By submitting your data, you agree that all entered data may be saved and displayed as a comment.
Comments
  • 💬
    Saud
    Saud  replied
    10.06.2023 04:45

    My recommendation is to always use REJECT since it immediately terminates the connection. Scanners have other ways to detect if the host is active using DROP rule. There is not a huge benefit with using DROP so my recommendation is to use REJECT.

    reply

🤖 Cookies

We use cookies to improve your experience. Find out more in our privacy page.