1*a71a9546SAutomerger Merge WorkerThis is used to send back an error packet in response to the matched 2*a71a9546SAutomerger Merge Workerpacket: otherwise it is equivalent to 3*a71a9546SAutomerger Merge Worker.B DROP 4*a71a9546SAutomerger Merge Workerso it is a terminating TARGET, ending rule traversal. 5*a71a9546SAutomerger Merge WorkerThis target is only valid in the 6*a71a9546SAutomerger Merge Worker.BR INPUT , 7*a71a9546SAutomerger Merge Worker.B FORWARD 8*a71a9546SAutomerger Merge Workerand 9*a71a9546SAutomerger Merge Worker.B OUTPUT 10*a71a9546SAutomerger Merge Workerchains, and user-defined chains which are only called from those 11*a71a9546SAutomerger Merge Workerchains. The following option controls the nature of the error packet 12*a71a9546SAutomerger Merge Workerreturned: 13*a71a9546SAutomerger Merge Worker.TP 14*a71a9546SAutomerger Merge Worker\fB\-\-reject\-with\fP \fItype\fP 15*a71a9546SAutomerger Merge WorkerThe type given can be 16*a71a9546SAutomerger Merge Worker\fBicmp\-net\-unreachable\fP, 17*a71a9546SAutomerger Merge Worker\fBicmp\-host\-unreachable\fP, 18*a71a9546SAutomerger Merge Worker\fBicmp\-port\-unreachable\fP, 19*a71a9546SAutomerger Merge Worker\fBicmp\-proto\-unreachable\fP, 20*a71a9546SAutomerger Merge Worker\fBicmp\-net\-prohibited\fP, 21*a71a9546SAutomerger Merge Worker\fBicmp\-host\-prohibited\fP, or 22*a71a9546SAutomerger Merge Worker\fBicmp\-admin\-prohibited\fP (*), 23*a71a9546SAutomerger Merge Workerwhich return the appropriate ICMP error message (\fBicmp\-port\-unreachable\fP is 24*a71a9546SAutomerger Merge Workerthe default). The option 25*a71a9546SAutomerger Merge Worker\fBtcp\-reset\fP 26*a71a9546SAutomerger Merge Workercan be used on rules which only match the TCP protocol: this causes a 27*a71a9546SAutomerger Merge WorkerTCP RST packet to be sent back. This is mainly useful for blocking 28*a71a9546SAutomerger Merge Worker.I ident 29*a71a9546SAutomerger Merge Worker(113/tcp) probes which frequently occur when sending mail to broken mail 30*a71a9546SAutomerger Merge Workerhosts (which won't accept your mail otherwise). 31*a71a9546SAutomerger Merge Worker.IP 32*a71a9546SAutomerger Merge Worker(*) Using icmp\-admin\-prohibited with kernels that do not support it will result in a plain DROP instead of REJECT 33*a71a9546SAutomerger Merge Worker.PP 34*a71a9546SAutomerger Merge Worker\fIWarning:\fP You should not indiscriminately apply the REJECT target to 35*a71a9546SAutomerger Merge Workerpackets whose connection state is classified as INVALID; instead, you should 36*a71a9546SAutomerger Merge Workeronly DROP these. 37*a71a9546SAutomerger Merge Worker.PP 38*a71a9546SAutomerger Merge WorkerConsider a source host transmitting a packet P, with P experiencing so much 39*a71a9546SAutomerger Merge Workerdelay along its path that the source host issues a retransmission, P_2, with 40*a71a9546SAutomerger Merge WorkerP_2 being successful in reaching its destination and advancing the connection 41*a71a9546SAutomerger Merge Workerstate normally. It is conceivable that the late-arriving P may be considered 42*a71a9546SAutomerger Merge Workernot to be associated with any connection tracking entry. Generating a reject 43*a71a9546SAutomerger Merge Workerresponse for a packet so classed would then terminate the healthy connection. 44*a71a9546SAutomerger Merge Worker.PP 45*a71a9546SAutomerger Merge WorkerSo, instead of: 46*a71a9546SAutomerger Merge Worker.PP 47*a71a9546SAutomerger Merge Worker-A INPUT ... -j REJECT 48*a71a9546SAutomerger Merge Worker.PP 49*a71a9546SAutomerger Merge Workerdo consider using: 50*a71a9546SAutomerger Merge Worker.PP 51*a71a9546SAutomerger Merge Worker-A INPUT ... -m conntrack --ctstate INVALID -j DROP 52*a71a9546SAutomerger Merge Worker-A INPUT ... -j REJECT 53