What about having a deep discussion on iptables DROP vs REJECT?
Iptables have a set of rules to manage incoming and outgoing traffic. Drop and reject belongs to the actions against each unsafe packets.
At Bobcares, we often receive requests to carry out the drop and reject actions as part of our Server Management Services.
Today, let’s have a detailed discussion about these two actions.
Iptables DROP vs REJECT
As we all know, iptables is a flexible firewall utility built for Linux operating systems. It uses a set of tables with chains.
And, these chains contains a set of built-in or user-defined rules. But why we use these rules?
Actually, not all the packets that reach the firewall are safe. So, these rules filter the packets effectively.
Mainly there are three responses: ACCEPT, DROP and REJECT.
Now, let’s check out the main differences between the drop and reject commands.
Difference between DROP and REJECT
Both DROP and REJECT prohibits packets from passing through the firewall. But, the main difference between them is the response message.
Actually, when we use the DROP command, it will not forward the packet or answer it. But, simply drops the packet silently.
And, no indication is sent to the client or server.
But, the REJECT command sends an error message back to the source indicating a connection failure.
For TCP connections, iptables will send RST/ACK segments. But, with UDP, It returns an “ICMP destination port unreachable” message.
Iptables DROP vs REJECT – Better choice?
So, below given are the commands to DROP and REJECT the connections.
iptables -A INPUT -s <specified_ip> -j DROPiptables -A INPUT -s <specified_ip> -j REJECTRecently, one of our customers had a query regarding both these commands. Though both commands have the same function, he needs to know which command is better.
Our Support Engineers recommend the DROP command above REJECT.
REJECT command sends a response message. And, this message will ensure the attackers about the existence of the server on the other end.
It will give away information like open ports, software versions, etc which is risky. Incase of a DDOS attack, the server needs to respond to each request with a response.
But, dropping the packet doesn’t give the user any clue regarding the connection failure.
And, this is the main reason why the DROP command is more preferred.
[Need more information regarding these commands?- We’re available 24/7.]
Conclusion
In short, both the DROP and REJECT commands prohibit unsafe packets from passing through the firewall. Today’s “iptables DROP vs REJECT” article focussed more on the difference between these commands.
There is no “right” answer here. If you want to delay whoever is probing then a DROP will slow them down (sender has to wait for a timeout), BUT if you answer on any other port, it is obvious that there is a firewall in the middle.
A straight REJECT will respond with an ICMP unreachable which is not the response you would see on a port which is not listening
REJECT -reject-with tcp-reset makes the port behave as though nobody was listing and no firewall is in the middle.
All will block the port, and how to respond depends on what the aim is.
Hello Mark,
Thank you for your inputs. Yes, making a choice between DROP and REJECT depends a lot on the traffic type, purpose, etc.