-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
For this chain (presumably packets inbound to the network), accept any packets that are part of established TCP connections (ie: a SYN packet for the connection has gone out from the network), or related to UDP packets that have gone out through the firewall.
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
Otherwise, reject the packet by sending back an ICMP message telling the remote host that communication with its intended target is administratively prohibited.
HTH Alex Satrapa
