1This is used to send back an error packet in response to the matched 2packet: otherwise it is equivalent to 3.B DROP 4so it is a terminating TARGET, ending rule traversal. 5This target is only valid in the 6.BR INPUT , 7.B FORWARD 8and 9.B OUTPUT 10chains, and user-defined chains which are only called from those 11chains. The following option controls the nature of the error packet 12returned: 13.TP 14\fB\-\-reject\-with\fP \fItype\fP 15The type given can be 16\fBicmp6\-no\-route\fP, 17\fBno\-route\fP, 18\fBicmp6\-adm\-prohibited\fP, 19\fBadm\-prohibited\fP, 20\fBicmp6\-addr\-unreachable\fP, 21\fBaddr\-unreach\fP, or 22\fBicmp6\-port\-unreachable\fP, 23which return the appropriate ICMPv6 error message (\fBicmp6\-port\-unreachable\fP is 24the default). Finally, the option 25\fBtcp\-reset\fP 26can be used on rules which only match the TCP protocol: this causes a 27TCP RST packet to be sent back. This is mainly useful for blocking 28.I ident 29(113/tcp) probes which frequently occur when sending mail to broken mail 30hosts (which won't accept your mail otherwise). 31\fBtcp\-reset\fP 32can only be used with kernel versions 2.6.14 or later. 33.PP 34\fIWarning:\fP You should not indiscriminately apply the REJECT target to 35packets whose connection state is classified as INVALID; instead, you should 36only DROP these. 37.PP 38Consider a source host transmitting a packet P, with P experiencing so much 39delay along its path that the source host issues a retransmission, P_2, with 40P_2 being successful in reaching its destination and advancing the connection 41state normally. It is conceivable that the late-arriving P may be considered 42not to be associated with any connection tracking entry. Generating a reject 43response for a packet so classed would then terminate the healthy connection. 44.PP 45So, instead of: 46.PP 47-A INPUT ... -j REJECT 48.PP 49do consider using: 50.PP 51-A INPUT ... -m conntrack --ctstate INVALID -j DROP 52-A INPUT ... -j REJECT 53