>> You could emulate a REJECT policy by having this as the very last >> rules: >> >> $ipt -A INPUT -p tcp -j REJECT --reject-with tcp-reset >> $ipt -A INPUT -j REJECT >> >> (I thought it was like this..) > > What was like what ? Emulating a REJECT policy. If I'm not mistaken a closed tcp port responds with tcp-reset and others with icmp-port-unreachable (REJECT's default). If the OP was told to set a REJECT policy, I think it would have been with this in mind. >> But, if you dynamically add rules then you have to take care of >> at/from which position you insert/delete them. > > A user-defined chain comes in handy. Jump into it before the REJECT > rules and add the dynamic rules in it. > > iptables -N input > iptables -A INPUT -j input > iptables -A INPUT -j REJECT > > iptables -A input blah... Yes, I that's how I would do it.
