I would like iptables to disallow the sending of a "port closed" (RST ACK) in the OUTPUT chain.
I am not sure if this is correct:
--append OUTPUT --protocol tcp --tcp-flags RST,ACK RST,ACK --jump REJECT --reject-with icmp-host-prohibited
I would like iptables to disallow the sending of a "port closed" (RST ACK) in the OUTPUT chain.
I am not sure if this is correct:
--append OUTPUT --protocol tcp --tcp-flags RST,ACK RST,ACK --jump REJECT --reject-with icmp-host-prohibited
That looks correct. It would be more normal just to block the SYN packets from reaching the service in the first place though, rather than blocking the response like that.
Not sure what effect your rule (if any) actually would have; do a DROP instead of REJECT.
See REJECT vs DROP when using iptables.