Basic iptables question


I just want to know what is the difference between these as other uses it in the iptables,




ACCEPT - Accept the traffic, let it pass
DENY - Block the traffic silently
DROP - Block the traffic silently
REJECT - Block the traffic and tell the caller

@TimIgoe When should I use DENY and DROP?

You may want to use CSF ( for firewall management - it’s a lot, lot simpler than iptables!

I tend to always use DROP rather than DENY, I’m not sure of the exact specifics of why you’d use one and not the other.

DENY actively refuses connections, i.e., it will tell the requester to bugger off. DROP just drop the packet and does not inform the requester of this at all. So the requester will just wait and wait until his timeout (supposing he has one) hits.
DROP is usually better because then the attacker can’t be sure if you’ve used a DROP policy or just don’t have a service running at the requested IP/port, whereas with DENY they know you are but are blocking them. Remember, any information (including information that they are being blocked) can be useful to hackers, so you’d want to give them as little information as possible.

CSF uses iptables as core. They write interface for it. CSF is not another firewall than iptables.

Thanks, but I knew that; I was recommending it over raw iptables. It’s really much easier than trying to work out arcane incantations for iptables. It does use iptables underneath.

DENY = REJECT = immediate timeout. The sender gets a TCP RST packet which closes the connection immediately.

DROP = 40 second or so wait for connection failure. The packet is completely ignored.

eg: I use DROP with spammers; they have to wait for timeouts. (the technique is actually called nolisting, but way off topic for this thread)