Is it better to set -j REJECT or -j DROP in iptables?

by

There’s an example of iptables rules on archlinux wiki:

# Generated by iptables-save v1.4.18 on Sun Mar 17 14:21:12 2013
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:TCP - [0:0]
:UDP - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
COMMIT
# Completed on Sun Mar 17 14:21:12 2013

A few days ago my friend asked me why is there REJECT in the last three rules. He told me that there should be DROP instead, and he mentioned something about better security in case of DROP.

So, I have two questions:

  1. What do the three rules do?
  2. Does it make any difference when I put there DROP in place REJECT --reject-with ? If yes, what is the difference?
Contents hide
Answers:
Method 1

Answers:

Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

What do the three rules do?

Those 3 rules seem pretty self-explanatory:

  1. Reject incoming UDP packets with an ICMP message “port unreachable”
  2. Reject incoming TCP packets with “tcp reset”
  3. Reject incoming packets (of any other protocol) with ICMP message “protocol unreachable”

If you’re looking for more detail (about UDP/TCP packets, ICMP), you need to dig into networking docs, and perhaps the man iptables too.

Does it make any difference when I put there DROP in place REJECT –reject-with ? If yes, could someone explain the difference to me, I’ll really appreciate it.

It makes a difference. And contrary to popular belief, DROP does not give better security than REJECT. It inconveniences legitimate users, and it’s effectively no protection from malicious ones. This post explains the reasoning in detail:

http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject

A common reason for using DROP rather than REJECT is to avoid giving
away information about which ports are open, however, discarding
packets gives away exactly as much information as the rejection.

With REJECT, you do your scan and categorise the results into
“connection established” and “connection rejected”.

With DROP, you categorise the results into “connection established”
and “connection timed out”.

The most trivial scanner will use the operating system “connect” call
and will wait until one connection attempt is completed before
starting on the next. This type of scanner will be slowed down
considerably by dropping packets. However, if the attack sets a
timeout of 5 seconds per connection attempt, it is possible to scan
every reserved port (1..1023) on a machine in just 1.5 hours. Scans
are always automated, and an attacker doesn’t care that the result
isn’t immediate.

A more sophisticated scanner will send packets itself rather than
relying on the operating system’s TCP implementation. Such scanners
are fast, efficient and indifferent to the choice of REJECT or DROP.

CONCLUSION

DROP offers no effective barrier to hostile forces but can
dramatically slow down applications run by legitimate users. DROP
should not normally be used.


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x