iptables基础（三）：-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited   这条命令的的解释：

从结果上来看，这条规则的作用是拒绝所有
-j REJECT 在iptables帮助文档里面有一下说明This is used to send back an error packet in response to the matched packet: otherwise it is equivalent to 

DROP so it is a terminating TARGET, ending rule traversal. This target is only valid in the INPUT, FORWARD and OUTPUT chains, and user-defined chains which 

are only called from those chains. The following option controls the nature of the error packet returned:
--reject-with type
              The type given can be
               icmp-net-unreachable
               icmp-host-unreachable
               icmp-port-unreachable
               icmp-proto-unreachable
               icmp-net-prohibited
               icmp-host-prohibited or
               icmp-admin-prohibited (*)
我们简单的翻译一下，REJECT 是用来返回一个错误的包来回应匹配包，其他的等价于DROP，所以它是一个拒绝TARGET，在规则的结束。这个TARGET仅仅用在INPUT,FORWARD和

OUTPUT链和用户自定义的链，下列选项是用来定义返回错误的结果的：
The type given can be
               icmp-net-unreachable
               icmp-host-unreachable
               icmp-port-unreachable
               icmp-proto-unreachable
               icmp-net-prohibited
               icmp-host-prohibited or
               icmp-admin-prohibited (*)
从以上，我们可以看出，定义了icmp主机拒绝，返回一个Destination host unreachable错误，但是由于有之前一句的存在，所以能够PING通-A RH-Firewall-1-INPUT -p icmp -

-icmp-type any -j ACCEPT。
这样子，我们就能理解
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

REJECT     all -- anywhere             anywhere            reject-with icmp-host-prohibited 
拒绝所有的anywhere所有端口 icmp-host-prohibited 
下面我们做一个实验：
把其中一条给注释掉
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT 
这样子的话，我们就ping 不通了，而然后把
最下面一条
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited 
把其中 --reject-with 替换成其他的
icmp-net-unreachable
               icmp-host-unreachable
               icmp-port-unreachable
               icmp-proto-unreachable
               icmp-net-prohibited
               icmp-host-prohibited or
               icmp-admin-prohibited (*)
这样子的话，就知道不通的 条件，就会返回不通的包
第一种情况：
注释掉 在/etc/sysconfig/iptables
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT 
然后打开下面的
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
这样子，我们ping包返回的错误结果就是
C:\Documents and Settings\Administrator>ping 172.16.3.101

Pinging 172.16.3.101 with 32 bytes of data:

Reply from 172.16.3.101: Destination host unreachable.
Reply from 172.16.3.101: Destination host unreachable.
Reply from 172.16.3.101: Destination host unreachable.
Reply from 172.16.3.101: Destination host unreachable.
第二种情况
注释掉
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT 
然后打开下面
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-net-unreachable 
在这种情况下返回的错误包是：
C:\Documents and Settings\Administrator>ping 172.16.3.101

Pinging 172.16.3.101 with 32 bytes of data:

Reply from 172.16.3.101: Destination net unreachable.
Reply from 172.16.3.101: Destination net unreachable.
Reply from 172.16.3.101: Destination net unreachable.
Reply from 172.16.3.101: Destination net unreachable.
第三种情况：
注释掉
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
然后打开下面
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-proto-unreachable
这种情况下返回的错误结果为：
C:\Documents and Settings\Administrator>ping 172.16.3.101

Pinging 172.16.3.101 with 32 bytes of data:

Reply from 172.16.3.101: Destination protocol unreachable.
Reply from 172.16.3.101: Destination protocol unreachable.
Reply from 172.16.3.101: Destination protocol unreachable.
Reply from 172.16.3.101: Destination protocol unreachable.
=======================================================
有以上三个实验结果，可以看出
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
这句的意思是拒绝所有的主机切ping包返回的错误结果是有 --reject-with 后面的
icmp-net-unreachable        ICMP network unreachable
    net-unreach                 alias
    icmp-host-unreachable       ICMP host unreachable
    host-unreach                alias
    icmp-proto-unreachable      ICMP protocol unreachable
    proto-unreach               alias
    icmp-port-unreachable       ICMP port unreachable (default)
    port-unreach                alias
    icmp-net-prohibited         ICMP network prohibited
    net-prohib                  alias
    icmp-host-prohibited        ICMP host prohibited
    host-prohib                 alias
    tcp-reset                   TCP RST packet
    tcp-rst                     alias
    icmp-admin-prohibited       ICMP administratively prohibited (*)
    admin-prohib                alias
这些选项控制的，也就是说，--reject-with 的作用是定义 返回错误包的