Is it better to set -j REJECT or -j DROP in iptables?

iptables ip firewall tcp udp

34,536

What do the three rules do?

Those 3 rules seem pretty self-explanatory:

Reject incoming UDP packets with an ICMP message "port unreachable"
Reject incoming TCP packets with "tcp reset"
Reject incoming packets (of any other protocol) with ICMP message "protocol unreachable"

If you're looking for more detail (about UDP/TCP packets, ICMP), you need to dig into networking docs, and perhaps the man iptables too.

Does it make any difference when I put there DROP in place REJECT --reject-with ? If yes, could someone explain the difference to me, I'll really appreciate it.

It makes a difference. And contrary to popular belief, DROP does not give better security than REJECT. It inconveniences legitimate users, and it's effectively no protection from malicious ones. This post explains the reasoning in detail:

http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject

A common reason for using DROP rather than REJECT is to avoid giving away information about which ports are open, however, discarding packets gives away exactly as much information as the rejection.

With REJECT, you do your scan and categorise the results into "connection established" and "connection rejected".

With DROP, you categorise the results into "connection established" and "connection timed out".

The most trivial scanner will use the operating system "connect" call and will wait until one connection attempt is completed before starting on the next. This type of scanner will be slowed down considerably by dropping packets. However, if the attack sets a timeout of 5 seconds per connection attempt, it is possible to scan every reserved port (1..1023) on a machine in just 1.5 hours. Scans are always automated, and an attacker doesn't care that the result isn't immediate.

A more sophisticated scanner will send packets itself rather than relying on the operating system's TCP implementation. Such scanners are fast, efficient and indifferent to the choice of REJECT or DROP.

CONCLUSION

DROP offers no effective barrier to hostile forces but can dramatically slow down applications run by legitimate users. DROP should not normally be used.

34,536

VinoPravin

I'm a Debian user who wants to know all about the linux world. If there's a problem with some software or hardware under this operating system, I can fix it, of course I need some time to do that. I don't know many things, but sooner or later I always develop an OpenSource solution and make things work whether they like it or not.

Updated on September 18, 2022

Comments

VinoPravin almost 2 years

There's an example of iptables rules on archlinux wiki:

# Generated by iptables-save v1.4.18 on Sun Mar 17 14:21:12 2013
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:TCP - [0:0]
:UDP - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
COMMIT
# Completed on Sun Mar 17 14:21:12 2013

A few days ago my friend asked me why is there REJECT in the last three rules. He told me that there should be DROP instead, and he mentioned something about better security in case of DROP.

So, I have two questions:

What do the three rules do?
Does it make any difference when I put there DROP in place REJECT --reject-with ? If yes, what is the difference?

VinoPravin over 10 years

@janos -- could you write a little bit more about what actually happens when a packet reaches each of the three rules?
Panther over 10 years

@Kiwy - Read the link and try it yourself. DROP does not give better security than REJECT. It inconveniences legitimate users, and it's effectively no protection from malicious ones. This is because legitimate users suffer from a slow connection while waiting for the conection to time out and crackers merely configure their tools to not wait for a time out. the fact that the connection is slow (due to the wait for a time out) shows your server is there and firewalled.
Nils over 10 years

I do not go with that conclusion. Reject generates an ICMP-answer that can by analysed. Based on this analysis good attack engines can derive the OS that is being used. So on a system where all ports are known drop might be better. This applies to servers in a production environment.
Maxxx almost 9 years

A firewall that only forwards certain ports is even better. DROP an REJECT are not the same as absolutely no service running the first place. Many port scanners mark your host as a potential target for future scans in the hopes of catching your firewall down if they find REJECTS or DROPS there, as both can be detected from outside. chiark.greenend.org.uk/~peterb/network/drop-vs-reject
Alexis Wilke over 7 years

Note that the quoted text has one more paragraph, an update, that says DROP is better if you have a DDoS attack, which is relatively rare, but when it happens, it's probably good to have it... what do you think?
mckenzm almost 3 years

Reject can identify that a port has a rule, therefore it is a port bring used and of interest to a hacker. Drop behaves the same as a closed port. If I get a reject from 27017 the target is running MongoDB, I need only wait for a glitch in the firewall or focus a crafted attack.