iptables reject-with icmp-host-prohibited

linux networking firewall iptables

11,765

iptables rules are evaluated top-down. If a packet matches one of the rules, it does what the ACTION of the rule defines. Usually that is REJECT, ACCEPT, DROP, REDIRECT (to a different port) or jump to a CHAIN.

The last rule is just a generic rule that triggers when no previous rule has triggered. Basically it's a "by default, reject anything that doesn't match a previous rule". That is standard and a good practice when implementing firewalls.

The icmp-host-prohibited is just the reject message with whom the packet gets rejected. That means that your server will notify the sender that the packet was rejected with that message.

Note that for a better hardening, it's recommended to DROP messages instead of REJECT them, because the latter may give an attacker some info like for example "this host exists and has rejected your packet", whereas DROP won't provide such information.

11,765

Salem F

Updated on September 18, 2022

Comments

Salem F over 1 year

I recently bough new KVM/VPS once I install OpenResty(nginx fork) and run it , my server were not accepting incoming connection on the test port 8080 I manage to solve the issue by adding port 8080 to allowed rules ,

iptables -I INPUT  -p tcp --dport 8080 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -I OUTPUT -p tcp --sport 8080 -m conntrack --ctstate ESTABLISHED     -j ACCEPT

but I still can't understand the default rules that comes with my VPS

 pkts bytes   target           prot opt in     out     source               destination                              
 361K 1192M ACCEPT             all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    1    60     ACCEPT         all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
 464K   70M INPUT_direct       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 464K   70M INPUT_ZONES_SOURCE all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 464K   70M INPUT_ZONES        all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 1324 61332 DROP               all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
 458K   70M REJECT             all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

specially the last line is it blocks all incoming traffic !

Salem F about 5 years

Great explain , I miss rules order part , +I agree with you about use DROP instead of REJECT specially to block some small attacks ,iptables is great tools but it commands very primitives need some times to tweak it well .Last do you know simple way to receive connection message with command line tools of via some language like (C/PHP)
nKn about 5 years

Do you mean capture packets on the machine? If so, you can use a tool like tcpdump or ngrep.
Salem F about 5 years

I mean the reply message form the other machine , e.g if I use curl won't show me that message , I don't know tcpdump .