Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 1 | This is used to send back an error packet in response to the matched |
| 2 | packet: otherwise it is equivalent to |
| 3 | .B DROP |
| 4 | so it is a terminating TARGET, ending rule traversal. |
| 5 | This target is only valid in the |
| 6 | .BR INPUT , |
| 7 | .B FORWARD |
| 8 | and |
| 9 | .B OUTPUT |
| 10 | chains, and user-defined chains which are only called from those |
| 11 | chains. The following option controls the nature of the error packet |
| 12 | returned: |
| 13 | .TP |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 14 | \fB\-\-reject\-with\fP \fItype\fP |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 15 | The type given can be |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 16 | \fBicmp6\-no\-route\fP, |
| 17 | \fBno\-route\fP, |
| 18 | \fBicmp6\-adm\-prohibited\fP, |
| 19 | \fBadm\-prohibited\fP, |
| 20 | \fBicmp6\-addr\-unreachable\fP, |
| 21 | \fBaddr\-unreach\fP, |
| 22 | \fBicmp6\-port\-unreachable\fP or |
| 23 | \fBport\-unreach\fP |
| 24 | which return the appropriate ICMPv6 error message (\fBport\-unreach\fP is |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 25 | the default). Finally, the option |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 26 | \fBtcp\-reset\fP |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 27 | can be used on rules which only match the TCP protocol: this causes a |
| 28 | TCP RST packet to be sent back. This is mainly useful for blocking |
| 29 | .I ident |
| 30 | (113/tcp) probes which frequently occur when sending mail to broken mail |
| 31 | hosts (which won't accept your mail otherwise). |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 32 | \fBtcp\-reset\fP |
Jan Engelhardt | 64f948b | 2008-11-24 13:52:30 +0100 | [diff] [blame] | 33 | can only be used with kernel versions 2.6.14 or later. |