What different between the 3 ways to reject packets

Network Norckon 356℃ 0评论

1472551735-1147-aae3e19ffb6b28d2c64344fb66a9

INTRODUCE

Linux systems have more ways to reject or drop incoming packets, And takes different effects. In this article, I tried 4 ways to reject or drop TCP packets, and watch effect in nmap tool.

WHICH 1+3 WAYS ?

In Linux systems, we usually using following 3 ways to reject or drop packets:

  1. Drop incoming packets
  2. Reject incoming packet and reply Port unreachable
  3. Reject incoming packet and reply TCP reset
  4. Reject incoming packet and reply Protocol unreachable

WHAT DIFFERENCE IN NMAP

DROP INCOMING PACKET

  • Rule: -A INPUT -p tcp -j DROP
  • Reply: Nothing reply from server.
  • nmap: Port state is filtered.

REJECT PACKET AND REPLY PORT UNREACHABLE

  • Rule: -A INPUT -p tcp -j REJECT --reject-with icmp-port-unreachable
  • Reply: ICMP Destination unreachable. (Port unreachable)
  • nmap: Port state is closed.

REJECT PACKET AND REPLY TCP RESET

  • Rule: -A INPUT -p tcp -j REJECT --reject-with tcp-reset
  • Reply: TCP connection has been reset.
  • nmap: Port state is closed.

REJECT PACKET AND REPLY PROTOCOL UNREACHABLE

  • Rule: -A INPUT -p tcp -j REJECT --reject-with icmp-proto-unreachable
  • Reply: ICMP Destination unreachable. (Protocol unreachable)
  • nmap: Port state is filtered.

WHAT DO THE 3 REJECT RULES DO ?

Those 3 rules seem pretty self-explanatory:

  1. Reject incoming UDP packets with an ICMP message “port unreachable”
  2. Reject incoming TCP packets with “tcp reset”
  3. Reject incoming packets (of any other protocol) with ICMP message “protocol unreachable”

If you’re looking for more detail (about UDP/TCP packets, ICMP), you need to dig into networking docs, and perhaps the man iptables too.

REFEREBCE

AUTHOR

Pekaikon Norckon
2016-06-26 (SUN)

喜欢 (0)
COMMENT
Cancel Comment

EMOJI

Hi, We need some information

  • Nickname (*)
  • E-Mail (*)
  • Website