| Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 1 | This is used to send back an error packet in response to the matched |
| 2 | packet: otherwise it is equivalent to |
| 3 | .B DROP |
| 4 | so it is a terminating TARGET, ending rule traversal. |
| 5 | This target is only valid in the |
| 6 | .BR INPUT , |
| 7 | .B FORWARD |
| 8 | and |
| 9 | .B OUTPUT |
| 10 | chains, and user-defined chains which are only called from those |
| 11 | chains. The following option controls the nature of the error packet |
| 12 | returned: |
| 13 | .TP |
| 14 | .BI "--reject-with " "type" |
| 15 | The type given can be |
| 16 | .nf |
| 17 | .B " icmp-net-unreachable" |
| 18 | .B " icmp-host-unreachable" |
| 19 | .B " icmp-port-unreachable" |
| 20 | .B " icmp-proto-unreachable" |
| 21 | .B " icmp-net-prohibited" |
| 22 | .B " icmp-host-prohibited or" |
| 23 | .B " icmp-admin-prohibited (*)" |
| 24 | .fi |
| 25 | which return the appropriate ICMP error message (\fBport-unreachable\fP is |
| 26 | the default). The option |
| 27 | .B tcp-reset |
| 28 | can be used on rules which only match the TCP protocol: this causes a |
| 29 | TCP RST packet to be sent back. This is mainly useful for blocking |
| 30 | .I ident |
| 31 | (113/tcp) probes which frequently occur when sending mail to broken mail |
| 32 | hosts (which won't accept your mail otherwise). |
| 33 | .TP |
| Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 34 | (*) Using icmp-admin-prohibited with kernels that do not support it will result in a plain DROP instead of REJECT |