iptables to disallow sending of "port closed"

Question

I would like iptables to disallow the sending of a "port closed" (RST ACK) in the OUTPUT chain.

I am not sure if this is correct:

--append OUTPUT --protocol tcp --tcp-flags RST,ACK RST,ACK --jump REJECT --reject-with icmp-host-prohibited

score 0 · Accepted Answer · answered Jun 21 '11 at 09:52

0

That looks correct. It would be more normal just to block the SYN packets from reaching the service in the first place though, rather than blocking the response like that.

answered Jun 21 '11 at 09:52

TomH

1,290
7
9

Reason: If the daemon is listening, then I'm good. But if the daemon is unavailable, I do not want outgoing "port closed" packets. – Jacob Rickens Jun 21 '11 at 09:55

score 0 · Answer 2 · edited Apr 13 '17 at 12:14

0

Not sure what effect your rule (if any) actually would have; do a DROP instead of REJECT.

See REJECT vs DROP when using iptables.

edited Apr 13 '17 at 12:14

Community

1

answered Jun 21 '11 at 10:09

3molo

4,340
5
30
46

iptables to disallow sending of "port closed"

2 Answers2