iptable – REJECT target – not accepted as valid target

Eric asked:

Platform: Linux {hostname} 3.13.0-145-generic #194-Ubuntu SMP Thu Apr 5 15:20:44 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

System is not allowing usage of REJECT as –jump target.

According to iptables-extensions, this is valid for IPv4. Also, iptables-extensions is identified as incorporated in iptables for my installed distro per the above.

Does anyone know why this is not working?

Is there a kernel parameter which I must set for that to be accepted? OR … Is there a kernel parameter which, if set, causes DROP to adopt the REJECT stance for all cases?

I am trying to use that REJECT option to figure out why my firewall script is not allowing packets returning from outgoing, or simply not identifying/connecting with remote host for URL target.

The script I am trying to establish for desktop is as follows:

#!/bin/sh

# v0.04  2018-04-25

#============================== Initialize Script ===========================
if [ "${1}" = "-x" ]
then
    set -x
    DENY_MODE="REJECT --reject-with icmp-host-unreachable"
else
    DENY_MODE="DROP"
fi

#
#    Use system-specified command for iptables
#
IPv4=`which iptables`
IPv6=`which ip6tables`



#============================== 100 series ==================================
#
#    IPv6 is only allowed on passthru servers, routers or bastion hosts
#    Rule # 100
${IPv6} --policy ${DENY_MODE}
${IPv6} --flush
${IPv6} --zero



#
#    Initialize NAT table
#    Rule # 130
#${IPv4} --table nat --policy ACCEPT
${IPv4} --table nat --flush
${IPv4} --table nat --zero



#
#    Initialize MANGLE table
#    Rule # 140
#${IPv4} --table mangle --policy ACCEPT
${IPv4} --table mangle --flush
${IPv4} --table mangle --zero



#
#    FORWARD is only allowed on passthru servers, routers or bastion hosts  -  no logging of dropped FORWARD packets
#    Rule # 150
${IPv4} --policy FORWARD ${DENY_MODE}
${IPv4} --flush FORWARD
${IPv4} --zero FORWARD



#
#    Initialize INPUT chain
#    Rule # 151
#${IPv4} --policy INPUT ACCEPT
${IPv4} --policy INPUT ${DENY_MODE}
${IPv4} --flush INPUT
${IPv4} --zero INPUT



#
#    Initialize OUTPUT chain
#    Rule # 152
${IPv4} --policy OUTPUT ${DENY_MODE}
${IPv4} --flush OUTPUT
${IPv4} --zero OUTPUT



#============================== 400 series ==================================
#
#    All fragmented packets are either unusable or potentially toxic
#    Rule # 400
#${IPv4} --append INPUT --fragment --jump ${DENY_MODE}
${IPv4} --table raw --append PREROUTING --fragment --jump ${DENY_MODE}



#
#    Need DNS for desktop outgoing web requests
#    Rule # 401
${IPv4} --append OUTPUT -o eth0 --protocol udp --dport 53 --jump ACCEPT
${IPv4} --append INPUT  -i eth0 --protocol udp --sport 53 --jump ACCEPT



#
#    FUTURES:  incorporating WAN-based DHCP for dynamic IP assignment
#    Rule # 402
#${IPv4} --append INPUT -p icmp      -s ${DHCP_broker} --jump ACCEPT
#${IPv4} --append INPUT -i ${WAN_IP} -s ${DHCP_broker} --protocol tcp --sport 68 --dport 67 --jump ACCEPT
#${IPv4} --append INPUT -i ${WAN_IP} -s ${DHCP_broker} --protocol udp --sport 68 --dport 67 --jump ACCEPT



#============================== 700 series ==================================
#
#    Allow outgoing internet connections and verify incoming packet state to only allow associated replies
#    Rule 700 - TCP
${IPv4} --flush NOGO_700
${IPv4} --delete-chain NOGO_700
${IPv4} --new-chain NOGO_700
#
${IPv4} --append OUTPUT --protocol tcp --match conntrack   --ctstate NEW,ESTABLISHED,RELATED --jump ACCEPT
${IPv4} --append INPUT  --protocol tcp --match conntrack   --ctstate ESTABLISHED,RELATED --jump ACCEPT
${IPv4} --append INPUT  --protocol tcp --match conntrack ! --ctstate ESTABLISHED,RELATED --jump NOGO_700
${IPv4} --append NOGO_700 --jump LOG --log-level 4 --log-prefix "DROP_ESTa:  "
${IPv4} --append NOGO_700 --jump ${DENY_MODE}



#
#    Allow outgoing internet connections and verify incoming packet state to only allow associated replies
#    Rule 701 - UDP
${IPv4} --flush NOGO_701
${IPv4} --delete-chain NOGO_701
${IPv4} --new-chain NOGO_701
#
${IPv4} --append OUTPUT --protocol udp --match conntrack   --ctstate NEW,ESTABLISHED,RELATED --jump ACCEPT
${IPv4} --append INPUT  --protocol udp --match conntrack   --ctstate ESTABLISHED,RELATED --jump ACCEPT
${IPv4} --append INPUT  --protocol udp --match conntrack ! --ctstate ESTABLISHED,RELATED --jump NOGO_701
${IPv4} --append NOGO_701 --jump LOG --log-level 4 --log-prefix "DROP_ESTb:  "
${IPv4} --append NOGO_701 --jump ${DENY_MODE}



#
#    Allow outgoing internet connections and verify incoming packet state to only allow associated replies
#    Rule 702 - All others unrelated to protocols
# (Review reasons for not allowing RELATED and implement if warranted)
${IPv4} --flush NOGO_702
${IPv4} --delete-chain NOGO_702
${IPv4} --new-chain NOGO_702
#
${IPv4} --append OUTPUT --match conntrack   --ctstate NEW,ESTABLISHED,RELATED --jump ACCEPT
${IPv4} --append INPUT  --match conntrack   --ctstate ESTABLISHED,RELATED --jump ACCEPT
${IPv4} --append INPUT  --match conntrack ! --ctstate ESTABLISHED --jump NOGO_702
${IPv4} --append NOGO_702 --jump LOG --log-level 4 --log-prefix "DROP_ESTc:  "
${IPv4} --append NOGO_702 --jump ${DENY_MODE}






#============================== 200 series ==================================
#
#    Loopback is critical to host internal processes        (FUTURES:  mechanisms to ensure legit traffic only on loopback
#    Rule 200
#  (something wrong here, fallback to basic loopback passthru)
${IPv4} --flush NOGO_200
${IPv4} --delete-chain NOGO_200
${IPv4} --new-chain NOGO_200
${IPv4} --append INPUT -i eth0 -s 127.0.0.0/8  --jump NOGO_200
${IPv4} --append INPUT -i lo ! -s 127.0.0.0/8  --jump NOGO_200
${IPv4} --append INPUT -i lo -s 127.0.0.0/8 --jump ACCEPT
${IPv4} --append NOGO_200 --jump LOG --log-level 4 --log-prefix "DROP_LOOPBACK:  "
${IPv4} --append NOGO_200 --jump ${DENY_MODE}



#============================== 300 series ==================================
#
#    INVALID packets should be ignored
#    Rule 300
${IPv4} --flush NOGO_300
${IPv4} --delete-chain NOGO_300
${IPv4} --new-chain NOGO_300
${IPv4} --append INPUT --match conntrack --ctstate INVALID --jump NOGO_300
${IPv4} --append NOGO_300 --jump LOG --log-level 4 --log-prefix "DROP_INVALID:  "
${IPv4} --append NOGO_300 --jump ${DENY_MODE}



#
#    BOGON packets should be ignored
#    Rule 301
${IPv4} --flush NOGO_301
${IPv4} --delete-chain NOGO_301
${IPv4} --new-chain NOGO_301

#???#    ${IPv4} --append INPUT -i eth0 -s 192.168.0.0/16  --jump NOGO_301        # (C)  Own LAN IP/mask ????

${IPv4} --append INPUT -i eth0 -s 192.0.2.0/24  --jump NOGO_301                    ### ???
#
${IPv4} --append INPUT -i eth0 -s 10.0.0.0/8  --jump NOGO_301        # (A)
${IPv4} --append INPUT -i eth0 -s 172.16.0.0/12  --jump NOGO_301        # (B)
${IPv4} --append INPUT -i eth0 -s 224.0.0.0/4  --jump NOGO_301        # (D MULTICAST)
${IPv4} --append INPUT -i eth0 -s 240.0.0.0/5  --jump NOGO_301        # (E)
#
${IPv4} --append INPUT -i eth0 -s 169.254.0.0/16  --jump NOGO_301                ### ???
${IPv4} --append NOGO_301 --jump LOG --log-level 4 --log-prefix "DROP_BOGON:  "
${IPv4} --append NOGO_301 --jump ${DENY_MODE}








#============================== 900 series ==================================
#
#    Drop everything that did not match above or log then drop tem
#    Rule 999
#        Track ignored INPUT
${IPv4} --append INPUT --jump LOG --log-level 4 --log-prefix "DROP_INPUT:  "
${IPv4} --append INPUT --jump ${DENY_MODE}
#        Track ignored OUTPUT
${IPv4} --append OUTPUT --jump LOG --log-level 4 --log-prefix "DROP_OUTPUT:  "
${IPv4} --append OUTPUT --jump ${DENY_MODE}


#============================== Housekeeping ================================
#
#    Save image of latest ruleset for restore at next reboot
#    Rule 999+
#${IPv4}-save >/dev/null 2>&1
#${IPv6}-save >/dev/null 2>&1


#
#    Display latest ruleset
#    Rule 999+
#${IPv4}  -n -L -v --line-numbers
#${IPv6}  -n -L -v --line-numbers


#===================================================================================
#    END OR PROGRAM
#===================================================================================

exit 0

Thank you in advance for your assistance.

My answer:


You are trying to set the policy for a built-in chain to REJECT --reject-with icmp-host-unreachable. But this is not working.

From the iptables man page:

       -P, --policy chain target
              Set  the policy for the built-in (non-user-defined) chain to the
              given target.  The policy target must be either ACCEPT or DROP.

If you want to reject with a particular ICMP message, you can create a reject rule as the last rule in that chain.

(Also, of course, you really shouldn’t manually build firewalls anymore.)


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.