-1

I had an issue similar to No route to host with nc but can ping
It was a case that for certain ports, iptables (default) rules returned a host forbidden ICMP packet which translates to "no route"
I fixed it (removed the rule), but I wonder, why was the default rule set to rejected with no route, wouldn't a connection refused be clearer?
Does sending connection refused require more resources? Is it a significantly larger packet?

Didi Kohen
  • 1,813
  • 9
  • 14
  • 1
    If there isn't a route to even get to the host, you can't determine whether or not the connection would be refused by the remote host. – cutrightjm Aug 25 '22 at 18:24
  • 1
    There is a route, it is rejected by iptables for a specific port, wasn't I clear enough? – Didi Kohen Aug 26 '22 at 19:04

1 Answers1

1

The REJECT rule you seem to be asking about is defined as:

target      prot opt source               destination
REJECT      all  --  anywhere             anywhere             reject-with icmp-host-prohibited

The advantage of this is that it is one REJECT rule that will work equally with most/all protocols. And since it causes an ICMP of the specific type that means "communication with this host is administratively prohibited", the receiver will be able to recognize that this is a firewall-type administrative block, not just a random network failure or software configuration error. In other words, "This block is not likely to go away without some human action somewhere, so trying again and again is probably futile. Go talk to a network administrator instead if you feel this is not right."

If you wish, you could reject TCP connections with a "connection refused" and everything else with an ICMP, but for that, you would need two rules:

iptables -w -A INPUT -p tcp -j REJECT --reject-with tcp-reset
iptables -w -A INPUT -j reject --reject-with icmp-host-prohibited

Sending the "connection refused" TCP ReSeT packets or the ICMP host-prohibited packets already happens at a lower priority by default, so if the system has anything more important to do, those refusal notifications will be among the first to be delayed or skipped altogether. There is no significant difference in packet size between an TCP reset packet and an ICMP error packet.

But if you are still worried about the (minimal) resource usage, you could use a DROP rule to block connections instead: with a DROP rule, the matching packet is just thrown away without sending a response of any kind. This requires the client to wait until timeout to detect that the packets failed to go through, which can make network troubleshooting more annoying.

telcoM
  • 87,318
  • 3
  • 112
  • 232